In 2009, two ex-Yahoo engineers developed a straightforward app in California aimed at offering low-cost, ad-free, and private communication. This application has since transformed into WhatsApp, the predominant messaging platform globally, facilitating seamless cross-border communication. Its user-friendliness has led to millions downloading the app on mobile devices.
Currently, over three billion individuals utilize WhatsApp each month, generating an estimated 150 billion messages daily. The platform has become the standard for communication, including within the financial services sector.
However, regulatory bodies did not establish record-keeping standards with consumer messaging applications in mind, presenting a significant dilemma. Bankers frequently conduct business using WhatsApp, leaving their employers without any documentation of exchanges. U.S. regulators have already imposed over $3 billion in fines for this oversight, with the UK’s Financial Conduct Authority closely monitoring the situation.
To delve deeper into this issue, we spoke with Dima Gutzeit, the founder and CEO of LeapXpert, a firm recognized by Gartner for its Digital Communications Governance and Archiving. LeapXpert specializes in providing a compliant infrastructure for businesses to communicate via consumer messaging channels while ensuring that every message is captured for audit purposes.
Gutzeit explained that ‘off-channel communications’ refers to business discussions that occur on personal devices and consumer apps—such as WhatsApp, iMessage, and Signal—that fall outside the monitored official communication systems mandated by regulators. This informal mode of messaging often occurs where teams naturally converse, and none of these communications are recorded in the bank’s archive. Consequently, the banks cannot supervise what they cannot track and are unable to furnish records as required by regulators.
Since 2021, U.S. regulatory bodies, including the SEC and CFTC, have penalized over 60 firms on Wall Street for failing to account for business conducted via personal messaging apps. Companies like JPMorgan have faced fines exceeding $200 million, with others such as Morgan Stanley, Goldman Sachs, and Citigroup also falling under scrutiny. Some firms adopted stricter measures, including penalizing bonuses and dismissing senior staff, as regulators underscored that these failures represent a significant lapse in compliance.
In the UK, the Financial Conduct Authority, led by CEO Nikhil Rathi, has been attentively observing the enforcement trends in the U.S. The FCA has reiterated that record-keeping rules apply to all channels used for regulated activities, urging financial institutions to consider all communication avenues, including those that may go unmonitored. The ongoing observations signify that this issue has escalated to board-level discussions among UK banks.
Despite many financial institutions implementing policies prohibiting the use of WhatsApp for business purposes, these regulations alone appear insufficient. Such bans often push conversations into less visible platforms. Clients generally prefer communicating through familiar messaging apps, and without proper channels, bankers may circumvent these policies, potentially relocating discussions to personal devices that remain unseen by their firms.
Even firms that have implemented bans on WhatsApp have been found to be non-compliant, particularly as higher-level employees frequently disregard these policies. The presence of a policy without effective monitoring does not equate to compliance; it often merely provides regulators with a checklist to reference post-incident.
While financial penalties from regulators are daunting, more substantial ramifications may lie beneath the surface. Identifying shortcomings in communication records often raises concerns regarding other aspects of oversight, potentially exposing the firm to broader compliance failures. Lack of visibility could lead to undisclosed insider dealings or complaints, which could further compound regulatory issues.
Moreover, the impact extends to clients as well. When disputes arise, a bank’s inability to present a complete record of conversations can weaken its position. Institutional clients, such as pension and sovereign wealth funds, expect robust record-keeping practices, making a bank incapable of demonstrating comprehensive data governance less appealing as a business partner.
Implementing a practical alternative involves allowing bankers to communicate via preferred channels while managing oversight effectively. Technologies already exist that permit messages sent on platforms like WhatsApp and iMessage to be tracked and archived without disrupting user experience.
With governed infrastructure, messages routed through business channels allow firms to maintain complete records while ensuring real-time monitoring. This capability includes scanning outgoing messages for sensitive information and flagging any potential compliance issues as they arise.
Once conversations are captured, they transition from being mere regulatory requirements to strategic assets for the organization. LeapXpert Signals enables real-time analysis of communication trends, offering insights into shifts in client sentiment and identifying rising risks.
Additionally, LeapXpert’s AI-driven client intelligence tool, Maxen, transforms raw messaging data into actionable insights, providing an overview of client relationships and potential opportunities for follow-up, directly derived from conversations rather than relying on manual data entry.
Finally, a vital aspect of this approach pertains to data ownership. When a staff member departs, the organization retains ownership of client interactions, including commitments and conversations made via consumer applications. This retention significantly alters the landscape for banks that have often seen departing employees take client relationships and historical conversations with them.
Compliance executives and board members in the UK need to address this issue proactively. A report from LeapXpert highlighted that many regulated firms lack any archive of communications on consumer platforms. With U.S. enforcement actions unfolding, UK institutions must recognize the risks of unregulated messaging before they escalate, potentially sidestepping substantial fines.
Ultimately, the focus should not solely be on whether to manage these channels but on the value being forfeited by failing to do so. Conversations are already taking place, and data is already in motion. The pressing question remains: can banks effectively monitor what is occurring?