SafeGuard Cyber Blog

The Five Principles of WhatsApp Compliance | SafeGuard Cyber

Written by Mike Campfield | Apr 22, 2020 4:00:00 AM

WhatsApp has become an invaluable way for professionals to quickly communicate with customers, prospects, or suppliers – and in some regions, the only way to garner a response. For example, 90% of healthcare providers in Brazil use WhatsApp, forgoing traditional business channels like phone and email.

However, with using WhatsApp, comes the specter of WhatsApp compliance. Just ask the major US bank which suffered a $125M SEC fine in December 2021 for admitting that bankers used WhatsApp to “circumvent federal record-keeping laws.” 

Many in highly regulated industries like financial services and pharmaceuticals find it challenging to secure WhatsApp compliance monitoring; much less secure WhatsApp itself as a mode of business communication. Scrutiny over WhatsApp compliance started before the COVID-19 pandemic – and now, the push for securing WhatsApp for business use is growing, as companies realize how they can supercharge their digital transformation by leveraging the mobile messaging app. The business scenario has evolved to needing WhatsApp to expand market reach, gain advantage against competitors, and boost revenue growth.

WhatsApp has rapidly become so ubiquitous that it now has over 2 billion users. Inevitably, it has shifted from being only a personal tool to being a professional tool. More than five million businesses have integrated WhatsApp into their core strategies. And due to its cheap pricing and simplicity, the platform has become the default business communication channel for emerging markets such as Brazil and India. 

The testimonies are numerous and varied. For example, a clothing outlet in Brazil achieved a 10% monthly revenue growth once it allowed 80% of its orders to move through WhatsApp.

Clearly, businesses in emerging markets need to be able to leverage the power of WhatsApp. But to secure WhatsApp and keep it compliant, enterprises need to get their WhatsApp compliance stance right.

Product: Learn more about
advanced governance for WhatsApp

Here are the five foundational steps to get started:
1. Employees Must Opt-In to Oversight

Overseeing employee WhatsApp use begins with security and compliance teams gaining visibility into communications. WhatsApp’s native end-to-end data encryption means that gaining this oversight requires some technical output. But before companies begin to protect employee WhatsApp channels to make sure all their messages are safe from malicious links and compliant with company policies, they need a firm opt-in policy.

WhatsApp isn’t like someone’s company-assigned email. WhatsApp is where we conduct a lot of our personal and private lives. Employees assume that no-one, and certainly not their boss, can see into their WhatsApp messages. This is why enterprise WhatsApp compliance and security needs to start with full transparency. Companies should explain to employees why and how they intend to monitor their WhatsApp communications. They should proactively offer them solutions to any apprehensions about privacy. An obvious one is offering a separate work SIM card for their professional WhatsApp-ing that they can swap for their personal SIM when they’re not at work.

However WhatsApp compliance monitoring is structured, employees have to be in the loop, and they have to have opted in to having their messages scanned and archived for company policy violations. Ethically and legally, this is the only play.

Success Story: How a global investment firm
automates governance for WhatsApp

2. Preserve the Native WhatsApp Experience

The reason companies are open to using WhatsApp is because it’s the app people are using anyway. They’re using the app to talk to friends and family, and everyone prioritizes convenience. If you can reach people where they’re already communicating and talking, this is much more preferable to asking them to go elsewhere. 

What companies need is WhatsApp compliance archiving and monitoring, and there are various solutions that can offer this. WhatsApp even has an enterprise version it licenses. However, these solutions have drawbacks that can get in the way of the native WhatsApp experience. When you disrupt the native experience that people are accustomed to, you create friction within business processes. As we've heard from several customers: if you have to think about compliance, you're probably already out of compliance.

Unnecessary friction can result in these four poor business outcomes:

  1. Poor customer experience: This happens if the application doesn't allow both calling and texting, or if it anonymizes your employee's identity in favor of the company's brand. When this happens then you interrupt the relationships your growth teams already have in place with clients, customers, and prospects. 
  2. Low adoption among employees: This happens when a compliance solution is so complicated employees simply don't use it.
  3. Neglect and non-compliance: If the compliance solutions requires employees to take extra steps -- like adding an agent, or moving a conversation over to a different application -- it becomes easy to forget, resulting in non-compliance.
  4. Circumvention: Unnecessary complexity also creates the opportunity for workarounds like employees intentionally moving communications to another thread or not adding and agent to get around record-keeping.

The answer is a non-intrusive compliance solution; something that can identify and remediate risks as early as possible without getting in the way of your business. An effective compliance solution should basically run in the background of any device, seamlessly integrating with your existing tech stack and helping you avoid financial penalties without the hassle.

3. You Need Deep Visibility

Once employees have opted in, and understand that all their WhatsApp activities are being vetted, companies need to achieve and maintain absolute visibility into all WhatsApp interactions. This is the only way that compliance teams can be sure they are catching any and all potential regulatory risks. An employee might be sending hundreds of WhatsApp messages a day. It isn’t enough to check half of them. An issue could be lurking in any of the hundreds that weren’t scanned.

The challenge is that WhatsApp compliance archiving – that is, scanning and capturing every message and every interaction in WhatsApp – is a big ask. The volume and velocity of digital communications is staggering. Data from one of our own pilot programs shows that 13 field force reps from a pharma company in Brazil generated 2,400 messages in 14 days. That means the country’s entire field force of 450 reps would generate over 178,000 messages every single month. Human teams cannot keep up with communications at this scale; or, more accurately, the amount of dedicated people you’d need to keep up with it all is simply not viable. Instead, you need help from cloud-scale machine learning (ML).

Using machine learning, a dedicated solution can centralize all relevant accounts into a unified WhatsApp compliance and security management hub. Having the view from a single, unified platform empowers businesses to gain complete, real-time visibility into enterprise WhatsApp compliance. Issues can be flagged automatically and instantly; remediation can occur right away.

Success Story: How a global pharmaceutical enterprise
automates compliance for WhatsApp

4. Ensure Policy Customization

Every industry and every business experiences different pressures. Each enterprise has to keep an eye on a different set of regulations and make sure that everything they are doing is compliant. At the same time, each enterprise has their own set of internal policies and standards to which they need to adhere. For every company, this combined policy set is complex, subtle and unique to different regions.

In short, a one-size-fits-all solution won’t work. WhatsApp compliance isn’t as simple as deploying catch-all solutions that scan for certain words or ban specific images. The approach has to be flexible and customizable. When establishing WhatsApp compliance monitoring, companies need risk management solutions that let them compose and customize their policies, and then quickly apply them across the full bandwidth of communications. 

Companies need to be able to constantly update, add to, or refine policies. They need these policies to tie seamlessly into an automated alert management system.

5. The Technology Needs to be Scalable

It’s no good having WhatsApp compliance archiving and monitoring that works great at your current company setup, but will experience strain in two months’ time. The scale and speed of WhatsApp communications is only going to grow, and more people are going to be using the platform for work purposes. This means you will be having more and more employees opt-in to your WhatsApp compliance model, and this means more and more communications to track. More messages. More complex policies. More scanning.

Once again, only an ML-powered, centralized, dedicated platform can offer the scalability required here. The most effective tools are built with baked-in scaling powers, so that the core tech can handle any feasible uptick in communications – enabling you to extend your security policies to channels unprotected via traditional perimeter security. Older, perimeter-based tools cannot offer this, and humans could never keep up.

WhatsApp is here to stay. Regulators know this and are now rigorously enforcing record-keeping requirements. Enterprises must recognize the mobile messaging app as part of their business communication tech stack. But out of the box, the platform is a black box and often tied to personal devices, creating a security and compliance nightmare. Smart companies should establish a WhatsApp compliance and security model now, so that they are prepared to seize future business opportunities from slower competitors.

See our compliance solution for yourself!