WhatsApp in Financial Services: From Caution to Conscious Adoption
An Industry Update from Ed Shorrock, Managing Direct at Kroll (Channel Islands)
When the US Securities and Exchange Commission began issuing eye-watering fines in 2021 for off-channel communications, the message was clear: informal doesn’t mean exempt. More than $2.2 billion in penalties later,the financial services sector has been forced to reckon with its digital habits,particularly the widespread use of messaging platforms like WhatsApp. For many firms, the issue is no longer theoretical. It’s operational, and the question has shifted from whether to engage with WhatsApp to how to manage it securely.
In the UK, the picture is less severe - at least for now. The Financial Conduct Authority has taken a more restrained approach than its US counterpart.While the SEC has pursued aggressive enforcement, the FCA has chosen a tone of moderation. In January 2025, it clarified that no new WhatsApp-specific rules were forthcoming, leaning instead on existing record-keeping obligations under a broader pro-business agenda. But this should not be misinterpreted as leniency. The absence of explicit fines does not equate to the absence of risk.UK firms are still expected to ensure communications, regardless of the channel used, are appropriately captured, stored, and monitored.
What’s become evident in recent months is that WhatsApp is here to stay.For firms, there is a growing recognition that clients increasingly expect toengage through mobile-first messaging platforms. These clients are increasinglytime-poor and mobile and thus expect to communicate through the most convenientchannel, which is increasingly WhatsApp, not emails or portals.
At the same time, cautious attitudes remain, and not without reason. The risks of off-channel communication are well-known: data breaches,non-compliance with record-keeping rules, exposure to market abuse, and the absence of auditable trails. In short, when WhatsApp messages go unmonitored,the consequences can be regulatory, reputational and, in some cases, legal.While some organisations opt for an outright ban, others attempt to ignore the issue altogether - both of which, in a client-led environment, are increasingly untenable.
The more sustainable approach is to embrace the reality of multi-channel communications - but to do so within a clear framework. The firms making the most progress are those that have accepted WhatsApp’s role, and have responded with structured, risk-managed strategies. That includes developing formal usage policies, training teams on acceptable conduct, and integrating WhatsApp into existing systems that enable oversight and compliance. This isn’t just about avoiding enforcement; it’s about maintaining trust and consistency in how services are delivered.
Assessing whether current communication monitoring tools are fit for purpose in a multi-channel environment is now a key task for compliance and risk leaders. That means reviewing how well these tools integrate with various platforms, whether they provide the necessary oversight, and whether they scale as needs evolve. Firms also need to gather regular feedback from users to close any functionality gaps.
WhatsApp, WeChat, iMessage - they are all part of the same off-channel communication challenge. What’s changed is that many firms now accept that these platforms are not going away. For those looking to allow WhatsApp while remaining compliant, the key pillars are clear: protect data privacy, train users, develop and enforce robust policies, monitor usage,and ensure integration with existing business and compliance systems. This is not a one-off task but an ongoing cycle of adaptation and evolution.
The road ahead is likely to diverge. The UK may never mirror the enforcement-led stance of the US, and firms may find comfort in a less punitive regime. But they would be wise not to confuse different regulatory styles with different regulatory standards. As in other areas of compliance, regulators maybe quiet, until they’re not.
Ultimately, WhatsApp is not the problem. Poor oversight is. And the firms that understand that are the ones most likely to thrive, not just with regulators, but with their clients too.
Frequently Asked Questions
.jpg)
An Industry Update from Ed Shorrock, Managing Direct at Kroll (Channel Islands)
When the US Securities and Exchange Commission began issuing eye-watering fines in 2021 for off-channel communications, the message was clear: informal doesn’t mean exempt. More than $2.2 billion in penalties later,the financial services sector has been forced to reckon with its digital habits,particularly the widespread use of messaging platforms like WhatsApp. For many firms, the issue is no longer theoretical. It’s operational, and the question has shifted from whether to engage with WhatsApp to how to manage it securely.
In the UK, the picture is less severe - at least for now. The Financial Conduct Authority has taken a more restrained approach than its US counterpart.While the SEC has pursued aggressive enforcement, the FCA has chosen a tone of moderation. In January 2025, it clarified that no new WhatsApp-specific rules were forthcoming, leaning instead on existing record-keeping obligations under a broader pro-business agenda. But this should not be misinterpreted as leniency. The absence of explicit fines does not equate to the absence of risk.UK firms are still expected to ensure communications, regardless of the channel used, are appropriately captured, stored, and monitored.
What’s become evident in recent months is that WhatsApp is here to stay.For firms, there is a growing recognition that clients increasingly expect toengage through mobile-first messaging platforms. These clients are increasinglytime-poor and mobile and thus expect to communicate through the most convenientchannel, which is increasingly WhatsApp, not emails or portals.
At the same time, cautious attitudes remain, and not without reason. The risks of off-channel communication are well-known: data breaches,non-compliance with record-keeping rules, exposure to market abuse, and the absence of auditable trails. In short, when WhatsApp messages go unmonitored,the consequences can be regulatory, reputational and, in some cases, legal.While some organisations opt for an outright ban, others attempt to ignore the issue altogether - both of which, in a client-led environment, are increasingly untenable.
The more sustainable approach is to embrace the reality of multi-channel communications - but to do so within a clear framework. The firms making the most progress are those that have accepted WhatsApp’s role, and have responded with structured, risk-managed strategies. That includes developing formal usage policies, training teams on acceptable conduct, and integrating WhatsApp into existing systems that enable oversight and compliance. This isn’t just about avoiding enforcement; it’s about maintaining trust and consistency in how services are delivered.
Assessing whether current communication monitoring tools are fit for purpose in a multi-channel environment is now a key task for compliance and risk leaders. That means reviewing how well these tools integrate with various platforms, whether they provide the necessary oversight, and whether they scale as needs evolve. Firms also need to gather regular feedback from users to close any functionality gaps.
WhatsApp, WeChat, iMessage - they are all part of the same off-channel communication challenge. What’s changed is that many firms now accept that these platforms are not going away. For those looking to allow WhatsApp while remaining compliant, the key pillars are clear: protect data privacy, train users, develop and enforce robust policies, monitor usage,and ensure integration with existing business and compliance systems. This is not a one-off task but an ongoing cycle of adaptation and evolution.
The road ahead is likely to diverge. The UK may never mirror the enforcement-led stance of the US, and firms may find comfort in a less punitive regime. But they would be wise not to confuse different regulatory styles with different regulatory standards. As in other areas of compliance, regulators maybe quiet, until they’re not.
Ultimately, WhatsApp is not the problem. Poor oversight is. And the firms that understand that are the ones most likely to thrive, not just with regulators, but with their clients too.
