The “Shadow Channels” Causing Issues for Financial Services Compliance

Shadow channels are communication tools used for business conversations that fall outside formal compliance capture and governance.

In financial services, this commonly includes WhatsApp, WeChat, SMS, personal devices, and mobile voice calls. These channels create regulatory risk because firms cannot always prove that records are complete, accurate, and unaltered during audits.

Shadow channels typically include:

• WhatsApp and other instant messaging apps
• SMS and text messages
• Mobile voice calls outside call recording systems
• Personal devices used for business communication
• Collaboration tools used inconsistently or without full capture controls

Shadow channels emerge because they are convenient, familiar, and often expected by clients, especially in relationship-driven financial services environments.

The compliance risk arises when business conversations move onto these channels without appropriate governance or compliance measures.

Shadow channels introduce three core regulatory risks.

Incomplete records

If communications are not fully captured, firms cannot easily demonstrate record completeness when regulators request evidence related to a transaction, client, or event.

Loss of context and metadata

Missing metadata, such as timestamps, participants, channel identifiers, or attachments, can make records unreliable or unusable during investigations. When conversations are split across various channels, such as WhatsApp, phone calls, and SMS, context can be lost. Even if individual messages are captured, firms may be unable to provide the full context needed to explain how a decision was made.

Inability to prove data integrity

Without validation and audit controls, firms may struggle to prove that communications data has not been altered, deleted, or selectively captured after the fact. This risk is increased on instant messaging platforms, such as WhatsApp, where messages can be edited or removed. Therefore, it can become more difficult to prove that records accurately reflect what was originally communicated.

WhatsApp is one of the most common shadow channels across banking, wealth management, and capital markets. The use of WhatsApp Business is growing across the world, reaching 1 billion downloads and 200 million active users as of 2023.

It is widely used because:

• Clients often prefer it, shown by WhatsApp Business’ 98% open rate
• It enables rapid, informal communication – 67% of customers now expect brands to be reachable over instant messaging apps
• It works seamlessly across borders

However, WhatsApp was not designed for regulated record-keeping.

Without proper capture and governance:

• Messages can be missed or partially captured
• Attachments and voice notes may lack context
• Edits or deletions may not be detectable
• Personal and business communications may be mixed

When regulators request all communications related to a client or transaction, these gaps quickly become compliance challenges.

Are SMS and Text Messages a Compliance Risk?

Yes, and they are often overlooked.

SMS and text messages are regularly used for timely updates, confirmations, and approvals.

When these messages are not captured with appropriate context and integrity controls, they carry the same regulatory and evidentiary risks as any other communication channel.

Shadow channels are rarely a single tool, as clients increasingly expect to communicate on their preferred channels. Therefore, these channels must be considered to ensure compliance across varied communication platforms.

Many compliance frameworks were built for controlled office environments and fixed communication channels.

They struggle when:

• Communication is mobile
• Devices are personal
• Platforms change faster than policy
• Data exists, but cannot be proven complete or unaltered

Regulators increasingly scrutinize the reliability of communication data, not just its presence, so a layer of validation is critical.

Shadow channels exist because business communication has changed faster than compliance frameworks.

Addressing shadow channels is an essential requirement for compliant communications governance in financial services.

Financial services organizations must be able to do the following across all “shadow channels”:

• Capture communications, including on mobile calls and instant messaging platforms
• Preserve metadata and communication context
• Validate data to prove completeness and integrity
• Ensure fast, confident responses to audits and investigations
• Compliantly and securely store data with required access controls

This means moving beyond basic recording and archiving toward platforms that can capture, validate, and govern communications data consistently across all communication channels.

Are WhatsApp and SMS considered business communications by regulators?

Yes. If messages relate to client interactions, transactions, advice, or approvals, regulators generally treat them as business communications regardless of the platform or device used.

Can regulated firms allow the use of personal devices?

Personal devices may be permitted under certain policies, but firms are responsible for ensuring that any business communications conducted on those devices are captured, governed, and retrievable in line with regulatory requirements.

Why isn’t archiving alone enough for shadow channels?

Archiving stores data, but it does not prove completeness, integrity, or context. Regulators increasingly expect firms to demonstrate how communications were captured, validated, and protected from alteration.

Are Shadow Channels Part of Your Communications?

If business conversations are happening on WhatsApp, SMS, or personal devices, you may be exposing your organization and clients to risk.

Custodia works with regulated organizations to assess modern communication channels, identify compliance blind spots, and determine whether existing capture and validation controls are sufficient.

Explore how CC1 supports compliant capture and validation across modern communication channels