After the 2021 US Securities and Exchange Commission and Commodity Futures Trading Commission (CFTC) actions that cost Wall Street banks more than $1.8 billion for unrecorded business chats, the UK Financial Conduct Authority, Germany's federal financial supervisor BaFin,…
The post-trade chats that US banks tried to keep on personal phones cost them more than $1.8 billion in combined SEC and CFTC penalties in 2021. The same practice, sending business messages through personal apps such as WhatsApp, Signal, iMessage, and SMS that the employer has not approved for recordkeeping, is what the compliance industry calls "off-channel communications," and it is now an enforcement target for the UK Financial Conduct Authority, Germany's federal financial supervisor BaFin, France's AMF markets authority, and the EU's Securities and Markets Authority.
The legal basis is not new. Firms operating in Europe already owe recordkeeping and supervision duties under the FCA's SYSC handbook, BaFin's MaComp and MaRisk guidance, the AMF's General Regulation, and the EU's Markets in Financial Instruments Directive (MiFID II). What is changing is the willingness to test those duties against the phone in an employee's pocket.
A 15 June 2026 HaystackID press release announcing its new COMET mobile-compliance product ties the trend to a launch date and a venue. COMET, the company says, is built to give compliance and surveillance officers targeted, scheduled, recurring collection of business mobile communications in a way that respects privacy and data protection rules. The release also asserts, without independent regulator confirmation, that the four European supervisors named above "have already begun enforcing" off-channel communications policies parallel to the US model that took shape after the 2021 SEC and CFTC actions.
The corporate framing should be treated as a corporate framing. John Wilson, chief information security officer and president of forensics at HaystackID, told reporters via the same press release that "the European legal community is where the next two- to three-year enforcement cycle will be argued and disclosed." That is a vendor's view of the timeline, not an independent forecast, but the direction of travel lines up with speeches, supervisory letters, and consultations European supervisors have run since 2023.
The market context, for those sizing budget. IDC projects that global spend on security, governance, risk, and compliance services will reach approximately USD 22.8 billion by 2029, per the firm's "Worldwide Security Governance, Risk, and Compliance Services Forecast, 2025–2029" (Doc #US53611525, June 2025), as cited in the HaystackID release. Ryan O'Leary, research director of Privacy and Legal Technology at IDC, used the same release to argue that European financial firms are moving away from static policy controls toward integrated compliance and legal workflows that treat message capture as a continuous, auditable process.
What does that look like on the ground? The mechanics are unglamorous and hard. Firms need a defensible inventory of approved channels, a capture path for messages on personal devices used for work (the bring-your-own-device problem), retention periods aligned to local rules, and supervision that can reconstruct a chat thread on demand. The European Union's General Data Protection Regulation, the UK Data Protection Act, and German works-council rules constrain what can be collected, from whom, and how long it can be kept, so the capture design has to be built with privacy counsel at the table, not bolted on afterward.
Wilson is scheduled to discuss the gap between regulator expectations and current tooling on the panel "Building Cross-Functional Cyber Governance to Avoid a $25 Million Mistake" at LegalTechTalk 2026 at the InterContinental O2 in London on 17 June, 11:55am–12:15pm BST, alongside Anju Malik, associate general counsel at Omnicom, and Komal Gupta, chief information officer at Cyril Amarchand Mangaldas. The conference itself, according to the event organizer's page, expects more than 5,500 attendees and 400 speakers.
HaystackID, per the company's own positioning, is using the venue to showcase a broader product family alongside COMET, including a generative-AI document review tool called Case Insight, a conversational eDiscovery interface called CaseBot, a privacy exposure scanner called HaystackID Privacy Hub, and an AI-assisted data subject access request workflow. Jeff Shapiro, the company's managing director for Europe, used the same release to flag a rise in data subject access requests and other regulatory actions across Europe tied to AI deployment. The product list is a vendor roadmap, not a market forecast. The shift it tracks, from email-and-telephony supervision to continuous mobile-channel surveillance, is the part compliance officers should pressure-test against their own records.
The open question for the next two quarters is whether any of the four named European regulators will publish a market-wide supervisory letter, a thematic review, or a first enforcement action that names mobile messaging as a recordkeeping failure. The HaystackID release asserts that the four supervisors "have already begun enforcing" policies parallel to the US model, but the press release is the only source for that characterization, and the four supervisors' enforcement dockets and consultation papers are the place to verify the claim before any board memo is drafted on the back of it.