In 2009, two former Yahoo engineers built a simple status-update app in California to provide affordable, ad-free and private communications. This application would evolve to become WhatsApp, the world’s leading messaging platform that removes the cost barrier from cross-border communication and is so simple to use that anybody with a mobile device has downloaded the app.
Today, more than three billion people use it every month, sending an estimated 150 billion messages daily. It is the world’s default way to communicate – and that includes people who work in financial services.
Unfortunately, regulators never designed their record-keeping rules around consumer messaging apps, which is a major problem because bankers are running deals on WhatsApp. Their employers often have no record of what was said or what was sent. US regulators have already levied more than $3billion in fines over this single failure – and the UK’s Financial Conduct Authority is watching closely.
We spoke with Dima Gutzeit, founder and CEO of LeapXpert – a Gartner-recognised Visionary in Digital Communications Governance and Archiving – to find out the true scale of the problem and what it means for UK financial institutions.
LeapXpert provides governed business communication infrastructure that lets organisations use consumer messaging channels while capturing every message in a compliant, auditable archive. It works with regulated and non-regulated enterprises in more than 45 countries.
Dima, what exactly are ‘off-channel communications’ and why should UK banks be worried?
It is a term for business conversations that happen on personal devices and consumer apps – WhatsApp, iMessage, Signal – outside the recorded phone lines and official email systems that regulators require banks to keep. A trader messages a client to sound out pricing. A relationship manager chases a signature on iMessage. A junior drops an update into a group chat because that is where the team actually talks. None of it reaches the bank’s archive. The bank cannot supervise what it cannot see, and it cannot produce records when a regulator asks. It has become the default way business gets done, and most firms have no visibility into it.
The US has already handed out more than $3 billion in fines. What happened?
Since 2021, the SEC and CFTC have fined more than 60 Wall Street firms for a single failure: staff conducted business on personal messaging apps and the firms could not produce the records. JPMorgan paid $200million. Morgan Stanley, Goldman Sachs, Bank of America, Citigroup, Barclays, Deutsche Bank, UBS and Credit Suisse all followed. Morgan Stanley went further, docking bonuses and dismissing senior bankers. The regulators made clear this was not a technicality. It was a record-keeping failure at an industrial scale.
Where does the UK stand right now when it comes to regulating WhatsApp messages?
The Financial Conduct Authority has been watching the US enforcement wave closely. CEO Nikhil Rathi and his senior team have warned repeatedly that record-keeping under SYSC and MiFID II applies to every channel a banker uses for regulated business, not just the ones the compliance team happens to monitor. FCA Market Watch bulletins have flagged unrecorded communications as a live concern. Coverage in the financial press confirms it is now a board-level issue for UK lenders. The only questions are which firm goes first and how large the number will be in the press release.
Most banks already have policies banning WhatsApp for business. Why is that not enough?
Because bans do not change behaviour, they just push it underground. Clients expect to be reached where they already are. A hedge fund manager in Mayfair does not want to install a second app to talk to his broker. A corporate treasurer in Frankfurt will message on the channel she uses with everyone else. When the bank says no, the banker either loses the relationship or moves the conversation to a personal phone that the firm cannot see. Many of the US firms that were fined had written policies prohibiting the use of WhatsApp. Enforcement found those policies were routinely ignored, often by managing directors and senior executives. Policy without capture is not compliance. It is a paper trail for the regulator to follow when something goes wrong.
What if a bank can absorb the fine – is there a bigger risk at play?
The fine is the headline, but it is rarely the worst of it. Once a regulator identifies off-channel failures, it raises immediate questions about what else has gone unsupervised. Were there insider-dealing conversations the firm never captured? Client complaints that were never logged? Pricing discussions that should have triggered surveillance alerts? The record-keeping breach becomes the thread that unravels wider compliance failures.
Beyond the regulator, there is the client. When a disputed transaction ends up in court, and the bank cannot produce a complete record of what was discussed, its position is significantly weakened. Institutional clients – pension funds, sovereign wealth funds, asset managers – increasingly expect their counterparties to demonstrate robust data governance. A bank that cannot account for its own conversations is a bank that becomes harder to do business with. The reputational damage compounds long after the fine is paid. It’s so hard to win back clients’ trust. It can take years to recover, and some firms never do.
What does a workable alternative actually look like?
You let bankers use the channels clients prefer – and you govern the conversations at the point of exchange. The technology exists and is already deployed at global institutions. Messages on WhatsApp, iMessage, WeChat, Signal and other consumer apps are routed through a governed infrastructure that preserves a full, immutable record without changing the user experience. The banker sends a message. The client receives it on their normal app. The firm keeps the record. But capture alone is not enough. Governed infrastructure means the platform is actively working in real time, before, during and after every message is sent.
Before a message leaves the organisation, data loss prevention controls scan it for sensitive information – account numbers, personal identifiers, confidential deal terms – and block or flag it before it reaches the recipient. Attachments and links are checked for malware so that a compromised file shared on WhatsApp does not become the entry point for a wider breach. These are not retrospective alerts. They operate at the moment of exchange, which means the risk is neutralised before damage is done.
During conversations, the platform monitors for potential conflicts of interest. If a relationship manager is communicating with a counterparty that sits on the firm’s restricted list, the system flags it. Compliance teams gain visibility that would be impossible if those same conversations were happening on a personal device outside the office
Capture is one thing – what happens to the data once it is inside the platform?
This is where governed messaging moves well beyond archiving. Once conversations are captured, the data becomes a strategic asset for the organisation, not just a regulatory obligation.
LeapXpert Signals analyses communication patterns across the entire messaging estate in real time. It surfaces shifts in client sentiment, flags unusual engagement patterns and identifies emerging risks before they escalate. If a key client’s tone changes markedly over a series of messages, or if communication frequency with a particular counterparty spikes unexpectedly, the platform brings it to the attention of the relevant team. For compliance, this means proactive and real-time surveillance rather than reactive investigation. For the business, it means early warning on relationships that may be deteriorating.
Our AI-powered client intelligence tool, Maxen, takes this further. It transforms raw conversation data into actionable intelligence: mapping client relationships across the organisation, identifying deal signals, and suggesting next steps based on what has actually been discussed. A senior banker can see at a glance which client relationships are strengthening, which are going quiet, and where follow-up is overdue. The insight comes directly from the conversations themselves, not from a CRM that relies on manual entry.
There is also a critical principle at stake: data ownership. When an employee leaves the firm, the client relationships they managed do not leave with them. Every conversation, every document shared, every commitment made on a consumer messaging channel remains with the organisation. The institutional knowledge stays inside the building. For banks that have watched senior bankers depart and take entire client books with them, often with no record of what was discussed or promised. This changes the dynamic entirely.
What should UK compliance heads and board members be doing right now?
Stop treating this as a future problem. LeapXpert’s Silent Data Crisis report shows most regulated firms still have no archive of what staff are saying on consumer apps. UK banks have watched the US enforcement cycle unfold from a distance. Ungoverned WhatsApp is dangerous. Firms that act now will spend a fraction of what their US peers spent, without the forensic reviews, the remediation programmes, or the press releases.
At the end of the day, it’s not just about whether to govern these channels, but how much value a firm is leaving on the table by failing to do so. The conversations are already happening. The data is already flowing. The only question is whether the bank can see it.
