In May 2025, a major cybersecurity incident thrust the often-overlooked world of messaging compliance, WhatsApp compliance, and regulatory record keeping into the spotlight. Telemessage, a Smarsh company widely used to capture digital communications across mobile messaging platforms, was reportedly hacked. The breach specifically targeted a clone of the Signal app—an enterprise-adapted tool meant to ensure secure message capture for compliance purposes.
This incident not only raises serious concerns about the vulnerability of these solutions but also calls into question the broader use of mass-market messaging apps, like WhatsApp and Signal, within highly regulated environments where strict compliance and data governance are paramount.
What Went Wrong with WhatsApp Compliance?
The Securities and Exchange Commission (SEC), alongside the Commodities Futures Trading Commission (CFTC), has been leading an ongoing crackdown on recordkeeping failures in the financial services sector, originally launched in 2022. These actions were focused on the failure to properly capture digital communications that were occurring in channels such as Signal, WhatsApp, Telegram, iMessage, and similar applications. In total, over $2B in fines were issued related to “off-channel” communications with these regulated firms.
Financial services, government agencies, and firms in other regulated industries, have extensive record keeping requirements, which includes digital communications. Over many years, these firms and solution providers developed platforms to capture, compliantly store and archive, and provide ready access to digital communications from commonly used platforms like email, Microsoft Teams, Slack, Bloomberg, Thomson Reuters, Symphony, and similar applications. This allowed organizations to meet their regulatory obligations, while providing employees with more communication options.
In parallel, the availability and use of messaging applications, such as Signal, WhatsApp, iMessage, WeChat, and similar, became commonplace. WhatsApp alone has nearly 3 billion monthly active users globally. These messaging applications were designed for mass consumer adoption, for their simplicity, and for their security including end-end encryption.
However, they were not designed as enterprise applications to fit in a compliance control plane. In fact, these messaging applications generally do not have built-in mechanisms designed for record retention, and capture for compliant data archiving.
ebook
6 Questions to Ask Vendors Before Choosing Their Digital Communications Governance & Archiving Solution
Discover essential questions to ask vendors for effective digital communications governance and archiving. Ensure compliance, enhance security, and maintain control over your data.
Secure Messaging App Guidelines for Regulated Industries
It is important to understand that the regulatory record keeping requirements are not simply about storing some object for a requisite amount of time, it must be accessible via search for eDiscovery and regulatory inquiries. In addition, these interactions are subject to Supervision and Surveillance requirements for many financial services firms. This means a decrypted form of the communication must be available for search indexing, and for analysis by Supervision/Surveillance tools.It is important to note that modern archiving platforms encrypt data in motion and at rest, but the object is decrypted for operations such as indexing, supervision/surveillance, investigation and review functions.
Security has been a significant driver for the adoption of these mass messaging tools, especially via the use of end-end encryption. With this approach, only the sender and the intended recipient(s) can decrypt the data. Capturing the encrypted form of the object at any point in between the two end-points, only gives an unintelligible and unusable copy.
So how do regulated firms and government agencies capture communications from end-end encrypted messaging applications, never designed for compliant record keeping? These approaches differ depending on the architecture of each messaging platform and the capabilities of the mobile messaging archiving tools—but all involve some form of intermediary, such as:
- A dedicated application that moderates the communications between the messaging application and the end user
- Clone-applications that are based on the original (e.g,. TM Signal v. Signal), but have capture or governance capabilities
- Registering end-user credentials with an intermediary service to capture interactions (e.g., iMessage)
- Through the cellular carrier (text messages)
Ironically, the SEC previously confronted this tension and came down on the side of security. Historically, the SEC rules required that a designated third-party had access and capability to retrieve and produce data, on behalf of regulated firms, if they were unable or unwilling to do so.
As the SEC considered updates to its recordkeeping requirements, it received significant feedback from the industry highlighting the security risks posed by the third-party access rule. Firms expressed concern that requiring external entities to have access to core systems introduced unnecessary vulnerabilities. In response, the Commission revised its position, removing the third-party requirement as long as internal personnel could perform the same functions. The Commission agreed, and removed the third-party requirement, so long as internal individuals could fulfill the same role.
This is not to say that we cannot have highly secure capture from these messaging applications. The industry has a decade plus of doing so in various forms, at scale, and with high degrees of integrity. But the proliferation of mass market messaging applications that are not designed to fit within an enterprise infrastructure adds complexity, especially in trying to balance the security and compliance equation.
10 Recommendations for Secure Messaging App Guidelines
|
Data Archiving Considerations for Encrypted Messaging Apps
As we look across the current state of encrypted messaging, several implications emerge for organizations charged with secure communications capture and compliant record keeping:- Reassess potential attack vectors in light of emerging threats and verify that current controls and security measures are effective and up to date.
- Reevaluate internal policies governing the use of encrypted messaging applications, weighing usability and productivity against regulatory and compliance risk.
- Anticipate that messaging platform providers may introduce new restrictions that limit third-party data capture capabilities, potentially affecting compliance workflows.
- Recognize that threat actors are increasingly targeting compliance and record-keeping systems—areas that were once considered low-risk but now represent critical vulnerabilities.
Need a Mobile Archiving Replacement Service? Try Archive360
Perhaps the greatest irony is that scores of regulated firms and government agencies are now out of compliance. Given the hack, TeleMessage suspended their service, to prevent further risk or penetration. As of this writing, there is no timeline to bring the service back online. Millions of digital interactions daily from these messaging applications are not being captured, which is where this problem first started.
Concerned about regulatory record keeping? Schedule a consultation with an Archive360 expert.
Your legacy application is built on outdated technology, such as unsupported hardware or software, which makes it difficult to maintain and poses significant data security risks.
WHITE PAPER
Digital Communications Governance and Archiving
A guide to reducing risk, boosting performance, and optimizing eDiscovery spend by consolidating communication records from disparate systems into a single repository
Share this:
George Tziahanas, AGC and VP of Compliance at Archive360 has extensive experience working with clients with complex compliance and data risk related challenges. He has worked with many large financial services firms to design and deploy petabyte scale complaint books and records systems, supervision and surveillance, and eDiscovery solutions. George also has significant depth developing strategies and roadmaps addressing compliance and data governance requirements. George has always worked with emerging and advancing technologies; introducing them to address real-world problems. He has worked extensively with AI/ML driven analytics across legal and regulatory use cases, and helps clients adopt these new solutions. George has worked across verticals, with a primary focus on highly regulated enterprises. George holds an M.S. in Molecular Systematics, and a J.D. from DePaul University. He is licensed to practice law in the State of Illinois, and the U.S. District Court for the Norther District of Illinois.
