WhatsApp poses major risk for Financial Institutions

Following recent news of the U.S. Securities and Exchange Commission‘s (SEC) investigation into Santander over its investment bankers’ use of WhatsApp for client communications, Miguel Rodríguez, Chief Revenue Officer and board member of the Swiss messaging platform Threema, shared his insights. His statement calls attention to the risks of using consumer-focused apps for sensitive financial communications, particularly within regulatory frameworks that prioritize data privacy and corporate governance.

Rodríguez expressed surprise at the ongoing use of WhatsApp by banks handling confidential client information, especially given past cases where major financial institutions such as Barclays, Bank of America, Citigroup, and others faced fines totaling $2 billion in 2022 for similar practices. These penalties highlighted the risks of using WhatsApp on private devices to share sensitive information, underscoring the SEC’s stringent stance on compliance.

“WhatsApp does not meet essential data protection requirements, like the GDPR in the EU, nor does it provide the administrative tools required for corporate use,” stated Rodríguez. Although WhatsApp is the world’s most popular messaging app, its business model relies on collecting metadata — including user location, phone numbers, and IP addresses — which compromises privacy for corporate use. Despite its end-to-end encryption, Rodríguez stressed that WhatsApp lacks the necessary security configurations for a business setting, posing substantial risks for information security and potential liabilities for corporate boards authorizing its use.

Rodríguez also highlighted the imminent relevance of DORA (Digital Operational Resilience Act), which will apply across the European Union starting January 2025. DORA mandates that financial institutions implement systems for incident reporting and customer notifications in case of significant security breaches or service disruptions. This new regulatory framework underscores the need for financial firms operating in the EU to reassess their communication tools to ensure compliance and safeguard client interests.

In closing, Rodríguez warned that “WhatsApp is not suitable for meeting DORA requirements or for use in the financial sector, whether within or outside the EU.” His statement reinforces the urgency for financial institutions to adopt more secure communication platforms that align with modern regulatory standards, ensuring data privacy and minimizing potential legal risks.