Blog article
See all stories »

WhatsApp and WeChat - the next big headache for compliance?

Over the last eighteen months the use of WhatsApp and WeChat has steadily grown within financial services. It doesn’t matter which country you operate in, I guarantee there’s a regulation that says you need to authorise its use and capture conversations. How you do it is a complex question to answer.

WeChat has been around since 2011, WhatsApp even longer, so why is that they are only becoming a problem now for compliance? The simple answer is popularity. Just as the once big players in the messaging world replaced the popular ICQ in the nineties and the noughties, so now the preferred chat apps are changing again.

They are helped no doubt by the demise of MSN Messenger, the retirement of Google Talk, the lack of a desktop client in Yahoo! Messenger, and the unwillingness of AOL to provide support to regulated industries. Although this is hardly unexpected because managing desktop applications is expensive for a developer, especially as instant messaging moves more to mobile devices, and these applications were all technically aimed at consumers.

Unlike their previous counterparts, both WeChat and WhatsApp allow users to send messages that are encrypted end to end. From a compliance and eDiscovery standpoint this makes them difficult to intercept and capture. Until now firms have been limited to just a few choices in their ability to achieve compliance:

  • force users off their mobile clients and onto the desktop web-browser interface where it can be recorded
  • install resource-hungry screen-grabber type technology on mobile devices to record screen updates
  • rely on the user to back-up their mobile device regularly and provide the backup to their employer.

None of these methods are truly satisfactory in the scope of what’s achievable today. Applications such as WeChat and WhatsApp are designed to be used primarily on mobile devices. In a world of BYOD (Bring Your Own Device), how many users would be happy to allow their company to see all of their personal activity alongside the business elements and submit the whole of their system backup to their company?

In recent times, there has been a huge shift in electronic communications away from traditional desktop hardware and operating systems towards mobile devices. This is especially prevalent in the instant messaging and social media world. Mobile applications are quick and functional to use, and for a lot of individuals they are run on personal devices with which there is an emotional attachment because all their contacts and photos are there and it’s a device that stays close to their person at all times.

A lot of companies try to ban the use of text messaging or mobile applications because they are hard to track. But despite this, users pick up their phone and quickly “WhatsApp” or “WeChat” someone anyway, because they forget and it seems unnatural to go to the PC to use those applications.

This could be combatted by installing screen grabber-type technology on the mobile device that builds a series of image files into an “audit” video that can be played back. However, this doesn’t just potentially impact on the performance of the handset, but creates a set of files that can only be searched by date stamp and handset owner. It’s not possible to access the message in a way that makes it easy to search without first post-processing the content through an image / video OCR (Optical Character Recognition) system. This means you can’t proactively look for infringements of regulations, and a wide reaching eDiscovery request will leave you shaking your head in despair.

Regular back-up and restore might mean the information is available in a searchable database, but it’s open to human error and abuse. Firstly it relies on the user doing something regularly, but even if the system is automated the user still has the potential to alter, edit and delete conversations before the back-up. When compliance is about content, not channel, real-time capture is needed to prove exactly what was said to whom. End users typically don’t like this approach, particularly in a BYOD environment because they could be handing over all their personal communications at the same time.

A more elegant solution to the issue would be to utilise the messaging app’s ability to replicate conversations across different devices where the user is logged in and to mirror the conversation in a parallel compliance session. This allows for interactions to be captured in real-time and placed in a searchable archive with no ongoing impact on the user.

In addition, this would entail an opt-in permission from the user, which would give firms the opportunity to authorise initial use and enable for action to be taken if or when the loss of the parallel session is detected. This might occur for instance if there are availability issues with the WhatsApp or WeChat network or if the user clicks “logout from everywhere”. The action might be for example notifying the user they are no longer authorised and therefore limiting the organisation’s compliance liability.

While mirroring isn’t foolproof and ultimately users wanting to find a way around constraints for nefarious reasons will always look for the loopholes, it is the best achievable with today’s technology.

From a company perspective, it’s a lot easier to manage employees using enterprise tools, but the demand from users for using public networks is never going to go away. They are the modern equivalent of the mobile phone address book, with contacts built up over long period of time. It’s not just about how customers and partners want to communicate, but it’s their personal brand or worth when moving to another division or company. The rolodex of people they trust and those that trust them.

I regularly try out new encrypted public messaging networks, some with privacy controls that go beyond WhatsApp and WeChat’s current capabilities such as message expiry and shredding built-in and think it’s highly likely we will see more and more of them being used for everyday communications. Introducing the right technology now will not only make it easier for firms to include new electronic communication tools in the future, but will ensure the compliance and security of the business today.


Comments: (0)

Blog group founder

Member since




More from member

This post is from a series of posts in the group:

Financial Services Regulation

This network is for financial professionals interested in staying up to date on financial services regulation happening anywhere in the world. CFOs, bankers, fund managers, treasurers welcome.

See all

Now hiring