Understanding WhatsApp supervision

Understanding WhatsApp supervision
What financial services firms need to know about the risks of scraping software versus the benefits of an API-based integration.
JUL 19, 2023

Regulatory requirements around retaining and supervising communications across financial services firms have become more stringent, in particular after an unusually high volume of business-related communications on WhatsApp was uncovered. Regulators have put users of this popular platform on high alert, while simultaneously monitoring whether firms are adhering to recent compliance shifts.

There seems to be an inherent conflict between the mandate to retain and supervise all communications and the privacy-oriented nature. To wit, WhatsApp recently released a feature called “Locked Chats” that enables users to shield messages from the prying eyes of third parties by requiring biometric keys — face ID, thumbprints, etc. — for access.

In spite of potential risks, many firms are not ready to dismiss WhatsApp, but to succeed, they’ll need to consider the following policy strategies and solutions to mitigate risk and ensure a long-term solution.

POLICY ENFORCEMENT

While prohibition is an extant solution, many firms lack enforcement capabilities. Many advisors aren't willing to give up WhatsApp as a communication channel, which results in a culture of underground activity and erosion of internal trust. Across the industry, it’s an open secret that off-channel communications are happening at firms with prohibition policies. In fact, knowledge of this activity can even end up being a multiplier for regulatory penalties. Simply put, a policy of strict prohibition does not work.

Instead, firms must adopt a policy that demonstrates both an understanding of the need to communicate over these channels and trust in the field to fully adhere to policy. We’ve seen these types of policies gain the most widespread adoption.

DATA SCRAPERS

Another solution is to engage with third-party software that “scrapes'' the data within a phone’s WhatsApp application and processes it via traditional supervision software. While this appears to solve the issue of supervision, it is problematic for two reasons:

  • First, Meta — the company that owns WhatsApp — includes language in its terms of service, or TOS, that explicitly prohibits this. It says “You will not use (or assist others in using) our Services in ways that…involve any non-personal use of our Services.” Scraping WhatsApp for business communications (i.e. a “non-personal use”) directly violates the TOS. Further, Meta has been very proactive in enforcing its TOS, sometimes resulting in firms being removed from all of Meta’s platforms, including Facebook and Instagram. This would deal a heavy blow to firms that rely heavily on those channels.
  • Second is the issue of data privacy. The solutions require access to the user’s WhatsApp account to collect these communications. But it can be difficult to differentiate between personal and business chats, which are often mingled together. Nobody wants personal conversations to be routed to their compliance team for supervision. The new “Locked Chats” feature compounds this issue; scrapers won’t even know that those hidden folders exist, since access is constrained by a biometric key that the scraper will not have access to. This new feature makes even the retention of chats on WhatsApp personal questionable at best.

So while scrapers may reduce the risk of retaining business communications on the platform, they simultaneously increase the risk of deplatforming by breaking Meta’s TOS, and commingling personal data with business data.

WHATSAPP FOR BUSINESS API-BASED INTEGRATIONS

Alternatively, Meta has an API for integrating “WhatsApp for Business” accounts into more traditional supervisory platforms. As it relates to Meta’s TOS, this is a legitimate API-based solution that enables a firm’s employees to leverage WhatsApp without risking deplatforming. The API connector permits firms to scale supervision across a large workforce without worrying about data loss, while still enjoying the benefits of WhatsApp’s end-to-end encryption.

This integration also eliminates comingling of these conversations within the app, so there's no possibility of a personal conversation being ingested into business supervision platforms. Although API-based integration trailed the need for a legitimate supervision solution, it ultimately reduces the risk of deplatforming while ensuring that business communications in WhatsApp are being adequately supervised in the manner that the SEC expects. 

As with other aspects of compliance, it’s important to formulate an approach that mitigates the vast assortment of risks associated with enabling — or not enabling — WhatsApp as an approved channel for business communications. Without doubt, an API-enabled connection is the most reasonable approach to limiting these risks. Partnering with a technology vendor that leverages this forward-thinking option for supervising WhatsApp messages will ensure that your supervision program is robust, scalable, and business-communications-specific.

Bill Simpson is director of compliance at Hearsay Systems.

Seeking an alternative option for credit exposure? Try an interval fund

Latest News

Trump teleprompter operator placed on unpaid leave amid probe into alleged Kalshi bets
Trump teleprompter operator placed on unpaid leave amid probe into alleged Kalshi bets

“The White House has extremely strict ethical guidelines with respect to issues like this,” said Press Secretary Karoline Leavitt.

GPB, the priest and a get out of jail card
GPB, the priest and a get out of jail card

Just how much does it cost for a financial advice exec to stay out of prison?

St. Louis pension fund sues FS/KKR advisor over alleged excessive fees
St. Louis pension fund sues FS/KKR advisor over alleged excessive fees

The advisor both prices FSK's private loans and gets paid on those prices, the suit claims

SEC moves to make electronic delivery the default for investor disclosures
SEC moves to make electronic delivery the default for investor disclosures

The proposal would end decades of paper-first delivery rules, but keeps a paper opt-out and draws early praise from fund and annuity industry groups.

Trump accounts could encompass every US family, 70 million children, says IRS chief
Trump accounts could encompass every US family, 70 million children, says IRS chief

The Trump accounts are “generationally changing” and bring financial literacy to youth, said IRS chief Frank Bisignano.

SPONSORED Direct indexing webinar targets tax-loss harvesting amid market swings

Northern Trust’s Ken Lassner shows advisors how to convert volatility into after-tax portfolio gains

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income