Author: Brad Filepas
01 May 2025
In today's rapidly evolving financial services landscape, juggling an ever-growing list of communications compliance challenges is typically easier said than done. Whether it be emerging regulatory priorities, device management struggles, AI advancements, or the complexities of new messaging platforms, there is no shortage of considerations for financial firms in 2025.
Recently, SteelEye and SnippetSentry co-hosted a roundtable event in New York City, gathering senior compliance professionals from various leading financial institutions. The discussion provided an insightful snapshot of industry trends and predictions for the future of communications compliance.
This blog explores the key themes from that discussion, highlighting both the challenges and opportunities for financial firms in 2025 and beyond.
Below, we’ve recapped the key takeaways from SteelEye and SnippetSentry’s recent New York City roundtable around North American communications compliance in 2025.
Despite regulatory uncertainty around a new presidential administration, firms are committed to maintaining their compliance investments due to the high cost of rebuilding policies, procedures, and systems.
Relying on a BYOD approach can leave monitored employees wondering whether their their privacy is being violated, with many expressing interest in surveillance solutions that can separate personal and work content.
While firms are rapidly adopting AI solutions for financial compliance, explainability is crucial. Firms that understand the technology and can articulate their AI's decision-making logic will strengthen regulator trust.
Firms are seeking clear guidance on whether or not AI-generated meeting transcripts and summaries should be subjected to record keeping requirements, as many are split on the matter.
Regulators are increasingly rewarding proactive transparency. Firms prepared with scenario-based compliance training and documented efforts to curb off-channel conversations can significantly mitigate penalties, even if breaches occur.
While the aforementioned topics were top of mind for the senior compliance professionals in attendance, a number of additional themes were also discussed. We encourage you to read on for a full summary.
With the transition to a new U.S. presidential administration, North American financial firms are likely to experience a shifting regulatory landscape that differs from the one they have learned to navigate in recent years. When JP Morgan was first hit with an eye-watering $125 million fine for record-keeping failures in December 2021, it sent shockwaves through the industry. And while some may have initially viewed it as a one-off occurrence, it quickly became clear that this would be the new norm. Since then, the crackdown around off-channel communications has steadily intensified, with one firm after another falling victim to increased enforcement actions. As recently as January 2025, the SEC fined 12 major institutions a combined $63 million for record-keeping violations.
However, industry consensus suggests the regulatory spotlight on standalone off-channel infractions may be scaled back under current leadership, transitioning instead to a broader enforcement approach. Violations related to unauthorized communications are likely to be integrated into larger regulatory investigations rather than pursued independently. Consequently, monetary fines could also decrease from the recent unprecedented levels that have become customary.
Yet, despite anticipated shifts under the Trump administration, market participants broadly agree on the necessity of maintaining compliance investments. Given the historical regulatory cycles, firms will remain cautious, recognizing that the next administration could reignite intense scrutiny. As a result, most financial institutions are unwilling to dismantle the robust compliance frameworks they have developed in recent years, understanding the high cost of rebuilding policies, procedures, and systems from scratch. The broader strategic consensus is clear: compliance remains critical, even amidst potential regulatory reprieves.
Financial firms continue to grapple with device management strategies, with the debate centering around BYOD (bring your own device) versus company-issued phones.
While the BYOD approach offers convenience and cost savings, it also carries inherent risks. Many firms deploying this strategy rely heavily on employee attestations - formal acknowledgments that they will exclusively use approved communication channels. And while the trust being bestowed upon employees can be uplifting, it also provides a free pass for rogue actors and has contributed to the uptick in off-channel communications we’ve witnessed in recent years.
Additionally, privacy concerns surrounding personal devices further complicate the BYOD strategy. Naturally, employees prefer to keep their personal interactions - family chats, photos, private communications - separate from work monitoring. And while some modern surveillance solutions can distinguish and separate personal versus work content, it’s a capability that many legacy providers lack, often leaving employees feeling vulnerable and wondering whether their privacy is being violated.
Conversely, there has been a resurgence of company-issued devices in recent years. Some institutions are increasingly encouraging their employees - particularly those in client-facing roles - to use company-issued smartphones pre-loaded exclusively with approved business apps like Microsoft Teams, Slack, and Bloomberg Chat. These corporate devices typically restrict downloading unapproved apps, reducing potential compliance breaches.
However, challenges persist. Many senior executives have resisted company-issued devices due to the inconvenience of managing two phones, complicating efforts to build a cohesive compliance culture. Firms face questions about the consistency and fairness of their compliance policies if top management doesn't adhere equally.
Whether firms issue corporate devices, rely on BYOD, or leverage a hybrid strategy that encourages employees to use a second device without making it mandatory, one thing is for certain: the matter requires far more time and attention than simply deciding which phones will be used to conduct business. Institutions must deploy a truly robust compliance approach with clear policies, transparent expectations, ongoing employee education, and sophisticated compliance technology if they want to have any chance of effectively curbing off-channel communications.
AI has rapidly evolved into a cornerstone technology within financial services, reshaping the way market participants approach communications compliance and surveillance. Unlike traditional rule-based systems, which can become outdated over time, AI-driven solutions are capable of learning new deceptive patterns, deciphering slang, and quickly identifying anomalies. Their ability to adapt to subtle communication nuances helps compliance teams stay ahead of evolving threats and save valuable time on investigations.
However, despite the clear operational benefits, regulatory acceptance remains a key industry consideration, making explainability and transparency in AI models crucial. Should a firm ever be subjected to a regulatory examination, a black box approach will not suffice. Organizations must be able to articulate how they are leveraging the AI solutions found in their archiving and surveillance software. AI that offers detailed reasoning behind each flagged communication can help maintain credibility and defensibility in regulatory reviews. This also underscores the importance of strong vendor-client relationships, with proper training and an open line of communication being key.
Although many firms are already seeing the benefits of leveraging some form of AI in their compliance solutions, there’s still room for drastic improvement. The output of AI models greatly relies on the information it receives, which has opened the door for an emerging conversation: should firms be willing to voluntarily share their data on a wider scale in order to enhance these AI models?
While sharing sensitive communications data for training purposes is generally unpopular due to privacy concerns, there are clear benefits, such as improved detection accuracy and cost savings. Not long ago, we saw a similar scenario in the banking world, as many large institutions believed the privacy of their data was their competitive advantage. Over time though, that mindset shifted, and increased collaboration amongst banks led to improved fraud detection, cyber threat intelligence sharing, and coordinated AML efforts.
Similar to the overarching conversation around AI, there is little certainty around where things will head next when it comes to training models for compliance purposes. But it’s not out of the question to think firms that contribute data to this cause could be incentivized with advanced capabilities compared to those choosing privacy-first approaches.
The proliferation and continuous evolution of communications platforms remain one of the industry's greatest compliance challenges. Traditionally monitored platforms - such as Bloomberg Chat and Microsoft Teams - remain central, but the ongoing emergence of new platforms and communication functionalities presents a moving target.
Firms now face risks from obscure messaging apps or emerging platforms rarely used within the broader industry. The sudden appearance of unusual communications apps on employee devices, at the very least, should cause some level of concern. If it's an app not typically adopted by the rest of the firm, compliance teams should be willing to dig deeper and understand what purpose it serves for that specific individual. As discussed earlier, corporate-issued phones with restrictions on which apps can be downloaded can help mitigate the issue. Additionally, some firms have elected to survey their employees regarding which channels they use for business communications. Not only does this approach help identify newly trending apps that are worthy of a second look, it can also leverage the findings to determine which apps may be more obscure and a potential red flag.
The proliferation of new channels is only a piece of the equation, though. Existing platforms regularly add new features that complicate compliance oversight, including disappearing messages, shareable lists, and ephemeral chat functions that obscure records. Staying on top of these enhancements is extremely difficult, though, as many apps are constantly releasing updated versions of their product. If members of compliance teams aren’t frequently updating their apps and thoroughly examining them, how can they be expected to know these potential workarounds exist? While dedicating resources to reading release notes and flagging potential threats is an option, it’s a massive undertaking and not practical in the long term.
Voice and video communications represent another area of concern. Increasingly common workplace technologies such as Zoom or Teams calls often incorporate transcribing and summarization features, creating compliance records that firms must manage carefully. While expectations around voice and video archiving remain ambiguous in North America, there are clear requirements around storing written records, causing firms to think twice before flipping on the “transcription” or “summary” feature during their next call.
The evolution of new and existing channels is arguably the most daunting challenge for market participants when it comes to communications compliance and surveillance. As a result, firms must increasingly adopt proactive monitoring strategies, forming cross-functional teams to regularly review emerging technologies and communication trends. Additionally, they must deploy record-keeping solutions that can reliably archive communications in a secure, 17a-4 compliant vault.
Staying agile, updating policies frequently, and rapidly integrating compliance technologies capable of capturing and surveilling new platforms become strategic necessities rather than optional enhancements.
When it comes to improper communications, determining appropriate levels of personal versus corporate accountability remains a gray area. Even if a firm has a strong culture of compliance, there’s no guarantee that it will be able to prevent every breach. It begs the question: what liability should they have if a bad actor intentionally circumvents the rules, despite robust policies and procedures being in place?
On the flip side, many monitored employees have found themselves between a rock and a hard place when their coworkers' and clients' use of unregulated channels has directly impacted them. Often, communications on personal channels may initially be harmless but quickly turn into business discussions, complicating monitoring efforts. Moreover, getting in touch with senior executives or high-value clients can often be a difficult task, and in instances where they reach out on an unapproved channel, finding a way to direct the conversation to a firm-approved platform can be easier said than done. How do employees balance doing what’s right for the firm without assuming the role of watchdog?
In reality, there needs to be a collaborative approach when it comes to maintaining high compliance standards. Firms must offer realistic scenario-based compliance training, outlining practical solutions for employees when they are confronted with off-channel communication attempts. Additionally, organizations must stress the critical importance of fostering a culture where employees feel empowered - and expected - to redirect communications proactively to approved channels.
Even if a firm has dedicated itself to building a culture of compliance that is supported by robust policies and procedures, it only takes one bad actor to fall short of its obligations. Should your firm be subjected to a regulatory examination for communication compliance failures, some measures can be taken to mitigate the impact. Regulators have shown a willingness to work with those that, in the words of the SEC, “self-report, cooperate, and remediate.” The CFTC recently doubled down on this stance when, in February 2025, they announced an “enforcement sprint,” which offered firms a chance to self-report infractions and suggest a remediation plan in exchange for reduced penalties. They even went as far as to develop a “mitigation credit matrix,” allowing firms to see what type of leniency they could expect for the promptness, completeness, and suggested recourse of their self-reporting.
Regardless of what is being offered, firms should always be transparent, open, and cooperative during investigations. By possessing accurate and complete data, showcasing a deep understanding of their compliance technology, and demonstrating that best efforts were made in training their workforce, firms can mitigate the impact of a regulatory examination.
Across these trends, adaptability and proactive management stand out as the essential attributes for future-proofing compliance programs. The regulatory landscape, technological innovations, and organizational complexities will undoubtedly continue evolving.
Financial institutions must remain agile, investing strategically in comprehensive compliance technologies, clear policy formulation, and continuous employee education. Successful compliance strategies also require strong executive sponsorship, fostering a compliance culture supported equally by leadership and frontline employees.
By proactively addressing compliance challenges through ongoing collaboration, robust surveillance technologies, and clear policy communication, financial firms can remain resilient amidst evolving regulatory expectations.
SteelEye and SnippetSentry remain committed to facilitating these crucial industry discussions, continuously innovating the compliance solutions we offer, and partnering closely with financial institutions as they navigate these complexities.
If you’re interested in streamlined compliance and future-proof communications surveillance solutions, we invite you to:
Book a Demo to explore our platform, where we'll demonstrate how SteelEye's comprehensive communications compliance solution enables you to capture, archive, and monitor communications across a multitude of channels - including email, voice, chat, and collaboration tools - ensuring adherence to regulatory obligations under the SEC, CFTC, and FINRA.
Sign up for our Newsletter to stay informed on the latest developments in communications compliance, including updates on regulatory changes, best practices for maintaining robust oversight across all communication platforms, and enhancements to our communications archiving and surveillance solutions.
We look forward to supporting you through these changes!
About
LOCATIONS
United Kingdom - 5th Floor, 55 Strand, London, WC2N 5LR
United States - 600 Fifth Avenue, New York, NY 10020
Singapore - 600 North Bridge Road #23-01 Parkview Square Singapore 188778
Portugal - Av. da Liberdade 747 1ºD, 4710-251 Braga
India - No. 613, 12th Main, HAL 2nd Stage, Bangalore - 560008
STEELEYE LIMITED, A COMPANY REGISTERED IN ENGLAND AND WALES WITH COMPANY NUMBER: 10581067, VAT NUMBER: 260818307 AND REGISTERED ADDRESS AT 55 STRAND, LONDON, WC2N 5LR.