Hidden Risks of Zoom and Slack in Regulated Environments

How Popular Collaboration Tools Create Compliance Blind Spots for UK Financial Services

The shift to remote and hybrid working has made collaboration platforms like Zoom and Slack indispensable across UK businesses. Yet for organisations operating in regulated environments—particularly financial services, healthcare, and the public sector—these seemingly essential tools harbour significant compliance risks that many firms are only beginning to understand.

Recent findings from the European Union Agency for Cybersecurity (ENISA) paint a concerning picture:

67% of organisations in regulated industries reported compliance gaps when using consumer-grade communication platforms.
More troubling still, 56% of financial institutions had inadequate systems for capturing and preserving all communications from collaboration platforms.
38% had significant blind spots in their communication monitoring capabilities.

The Regulatory Landscape: Why Standard Implementations Fall Short

For UK financial services firms, the stakes couldn’t be higher. Under MiFID II regulations, all “communications that are intended to lead to a transaction” must be recorded and retained for a minimum of five years.

Similarly, MiFID II requires financial firms to capture and archive employee conversations more thoroughly, including SMS text messages, instant messages, email, telephone calls, and video calls.

The challenge lies in the fundamental architecture of platforms like Zoom and Slack. Standard implementations simply weren’t designed with these stringent regulatory requirements in mind.

Features that make Zoom, Slack and other US-based tools attractive to general business users—ephemeral messaging, automatic deletion, and informal communication channels—create compliance blind spots that regulators are just starting to scrutinise.
– European Compliance Suite

As one representative from BaFin, Germany’s financial regulatory authority, observed: “We are increasingly observing that the shift to digital communication platforms has created new compliance challenges. Many institutions struggle to apply the same rigor to these channels as they historically did with more traditional forms of communication.”

Data Sovereignty: The Silent Risk

Beyond record-keeping challenges lies an even more complex issue: data sovereignty. Recent research reveals that only 35% of UK IT leaders have complete knowledge of the location and jurisdiction in which their organisation’s data is hosted. This lack of visibility presents significant risks for firms seeking to manage compliance and security requirements effectively.

The implications are far-reaching. When sensitive data crosses borders, it may fall under multiple regulatory regimes, raising questions about legal access and government overreach.

The US Cloud Act remains a particular concern, as even if data is stored locally by major global cloud providers, there is no guarantee that foreign authorities will not demand or obtain access to that data.

Jon Cosson, head of IT and chief information security officer at wealth management firm JM Finn, warns: “It’s absolutely imperative you know where your data is and how to secure it. You would not believe how many businesses still just rely on somebody else.”

The Cost of Non-Compliance

The financial implications of getting this wrong are severe. Recent enforcement actions have demonstrated regulators’ willingness to impose substantial penalties for communication compliance failures. More than $2 billion in fines have been levied by the U.S. Securities and Exchange Commission and the Commodity Futures Trading Commission for failures to capture, retain and supervise communications via WhatsApp, SMS, chat and mobile messaging.

In the UK and EU, the penalties can be equally punishing. National competent authorities can impose fines of up to €5,000,000 or up to ten per cent of total annual turnover for legal entities, with €21 million in administrative fines issued in 2022 for breaches of MiFID II alone.

The Hidden Complexity of Modern Communication

What makes these risks particularly insidious is their subtle nature. Unlike traditional compliance failures, communication platform violations often arise from the very features that make these tools valuable. Consider these scenarios:

Screen sharing during client calls: Zoom’s screen sharing functionality may inadvertently expose confidential information to unintended recipients, creating potential market abuse scenarios that are difficult to detect and monitor retrospectively.

Slack’s channel proliferation: The ease of creating private channels and direct messages can lead to business-critical discussions occurring outside monitored channels, creating gaps in the audit trail that MiFID II explicitly prohibits.

Cross-jurisdictional data flows: A single video call between a London-based adviser and a client in Dublin might involve data processing in multiple jurisdictions, each with its own regulatory requirements and data protection obligations.

Inadequate Mitigation Strategies

Many firms have attempted to address these risks through policy-based controls or by disabling features entirely. However, recent fines have signalled that policy-based controls are an inadequate compensating control when it comes to off-channel communications.

More concerning still, almost half of organisations are taking a draconian approach by disabling features in an attempt to limit the risk of new channels being used. This approach often backfires, as disabling key features that users want and need in their UC tools increases the risk of employees adopting unmonitored channels to engage with customers.

Research by Theta Lake found that 66% of respondents believe employees in their organisations are using unmonitored communications channels, posing heightened security and compliance risks to businesses.

The Shift in Risk Landscape

The compliance landscape is evolving rapidly, driven by both technological change and geopolitical factors. 83% of UK IT leaders now fear geopolitical risks may threaten control over their data, whilst 61% prioritise data sovereignty strategically.

This growing awareness is prompting significant changes in technology strategies. Recent research indicates that 54% of surveyed organisations have implemented digital migration strategies in the past year, with many firms reconsidering their reliance on foreign cloud providers.

Building Robust Compliance Frameworks

For regulated firms, addressing these risks requires a comprehensive approach that goes beyond simple policy statements:

Enhanced Data Mapping: Organisations must implement comprehensive data mapping to understand exactly where their communication data resides and under which jurisdictions it falls. This includes regular audits of data flows and storage locations.

Native Compliance Integration: Rather than retrofitting compliance onto existing platforms, firms should prioritise solutions that embed regulatory requirements into their core architecture from the outset.

Cross-Border Risk Assessment: Any communication platform deployment must include thorough analysis of data sovereignty implications and potential exposure to foreign legal frameworks.

Comprehensive Monitoring: Effective compliance requires the ability to capture, store, and analyse all forms of communication—including multimedia content, screen shares, and metadata—in a format that preserves context and supports regulatory investigations.

The Path Forward

The reality is stark: firms can no longer treat communication platform compliance as an afterthought. The combination of stringent regulatory requirements, severe financial penalties, and complex data sovereignty challenges demands a fundamental rethink of how organisations approach collaboration technology in regulated environments.

Success requires moving beyond the assumption that popular platforms are inherently suitable for regulated use. Instead, firms must adopt solutions that are purpose-built for compliance-first environments, offering transparency, control, and verifiable adherence to regulatory requirements.

The choice is clear: invest in proper compliance infrastructure now, or face the potentially devastating consequences of regulatory enforcement later. In an environment where the hidden risks—from compliance gaps and data sovereignty concerns to record-keeping failures and expanded attack surfaces—require strategic mitigation through appropriate technology choices, supplementary controls, and robust governance, half-measures are no longer sufficient.

The firms that thrive in this new landscape will be those that recognise compliance not as a burden to be managed, but as a competitive advantage to be leveraged through thoughtful technology selection and implementation.

This analysis is based on current regulatory guidance and industry research. Organisations should consult with their compliance and legal teams to understand their specific obligations and risk tolerance.