Mythbusters

We’ve taken a look at some of the most common compliance myths for WhatsApp, and we’ve busted them, so you can separate the myth from regulatory reality.

10 September 2023 5 mins read
by Jay Hampshire

One of the keenest challenges compliance teams face is running into commonplace compliance myths, and dispelling disinformation so that teams get the message on how to communicate compliantly. With regulators taking an increasingly ‘zero-tolerance’ stance on non-compliance, and instances of personal fines for off-channel communications becoming more prevalent, organizations can’t risk believing the myths.

One of the most prevalent communications channels in modern business is WhatsApp, with an estimated 352 million business downloads in 2023, and over 2.7 billion personal account users.

We’ve taken a look at some of the most common comms compliance myths around WhatsApp, and we’ve busted them – so you can separate the myth from regulatory reality.

1) MYTH: Banning WhatsApp will save you from recordkeeping fines

REALITY:
There are multiple examples of firms falling foul of regulators when it comes to their teams using WhatsApp non-compliantly, and the fines can be eye watering. This was demonstrated by a recent FINRA-issued fine, where the US regulator found that a firm had implemented a channel-blocker that failed to work effectively.

Our 2023 Industry Insight’s Report found that 59% of those surveyed had banned WhatsApp and similar apps from being used by their business. But despite this, only 2.6% of them agreed an outright ban is an effective solution. Like it or not, employees will keep using WhatsApp in spite of a channel ban. Reasons for this include familiarity with the app, as it’s one many people use day-to-day in their personal lives, ease of use for sending text messages, voice notes, and attaching files, and the fact that client-facing teams will lean towards using the applications their clients prefer to streamline their interactions. Ban or no ban, WhatsApp use is now a business reality – teams will keep using it to communicate, and regulators will keep fining firms if it’s used non-compliantly.


2) MYTH: You don’t need a dedicated WhatsApp business account – sending personal chats is fine

REALITY:
When it comes to using WhatsApp in a business context, it should never get personal. Although staff might think it’s okay to communicate with clients (or talk to each other about business matters) through a personal WhatsApp account, regulators won’t see it that way.

This is because messages sent on a personal account can’t be captured and stored in a messaging archive, meaning they can’t be assessed by regulators (or an internal audit) to see if conversations and activity are above board.

There are few things regulators loathe more than unrecoverable records, and we are seeing a noticeable shift towards individuals being held personally liable for personal device use for illicit communications. WhatsApp Business accounts, tied to a business number, exist for a good reason – to eliminate compliance risk by ensuring communications are captured compliantly, while making sure staff can keep client relationships and work with contacts on their preferred platform.


3) MYTH: All capture solutions for WhatsApp data are created equal

REALITY:
Incomplete data can hamper compliance efforts. Not knowing who sent what message, who it was sent to, and when it was sent can all slow down investigations. Regulators will take a dim view of shoulder shrugging when you don’t have all the answers.

Some firms will tout that their communications capture solutions will ensure 100% of your data is retained, but message emulators, ‘app wrappers’, or scrapers have major technical limitations. There’s no guarantee of completeness from these third-party services, which can result in metadata loss, or can record every WhatsApp message sent from a device – even the personal ones.

This opens you up to regulatory fines for incomplete data capture, and reputational damage to boot. The only way to guarantee complete data capture is to use a solution that has direct API integration with Meta – so you get your data right from the source.


4) MYTH: Capturing WhatsApp data via a third-party API is comprehensive, compliant capture

REALITY:
The longer a chain is, the greater the risk of there being a weak link. While outsourcing your communications capture solutions to multiple vendors can save in-house effort, it increases your risk and can even violate terms of service.

An indirect, third-party API solution opens up operational risks such as breaches in user privacy, security, and cyberattacks. A data breach at a point further down the multi-vendor chain means that your client’s data is at risk – and you’re still legally liable for the outcome of that breach. Avoiding the potential financial and reputational impacts is as simple as ensuring your solution is integrated, direct, and end-to-end, giving you full oversight and control of your – and your client’s – data, without worrying about the data breach domino effect.


5) MYTH: You can’t use WhatsApp for business communications – it’s just not compliant

REALITY:
While all of these myths might make it seem like you just can’t risk using WhatsApp for business communications, the real question is – can you afford not to? Your clients will almost certainly be using it, and your teams are almost certainly already using it to speak to them. Getting employee buy-in on compliance is always challenging, and demanding they stop using WhatsApp entirely, or lumbering them with a totally different communications channel, isn’t the most effective solution.

With regulators taking an increasingly zero-tolerance view on non-compliance, organizations can’t stick their heads in the sand with a channel ban or risky third-party solution and hope for the best. For those battling against the myths and looking to enable WhatsApp for their business, Atlas-t there’s a solution (see what we did there?).

We’ve busted the myths, and we’ve enabled WhatsApp for business.