In May 2025, a major cybersecurity incident thrust the often-overlooked world of messaging compliance, WhatsApp compliance, and regulatory record keeping into the spotlight. Telemessage, a Smarsh company widely used to capture digital communications across mobile messaging platforms, was reportedly hacked. The breach specifically targeted a clone of the Signal app—an enterprise-adapted tool meant to ensure secure message capture for compliance purposes.
This incident not only raises serious concerns about the vulnerability of these solutions but also calls into question the broader use of mass-market messaging apps, like WhatsApp and Signal, within highly regulated environments where strict compliance and data governance are paramount.
What Went Wrong with WhatsApp Compliance?
The Securities and Exchange Commission (SEC), alongside the Commodities Futures Trading Commission (CFTC), has been leading an ongoing crackdown on recordkeeping failures in the financial services sector, originally launched in 2022. These actions were focused on the failure to properly capture digital communications that were occurring in channels such as Signal, WhatsApp, Telegram, iMessage, and similar applications. In total, over $2B in fines were issued related to “off-channel” communications with these regulated firms.
Financial services, government agencies, and firms in other regulated industries, have extensive record keeping requirements, which includes digital communications. Over many years, these firms and solution providers developed platforms to capture, compliantly store and archive, and provide ready access to digital communications from commonly used platforms like email, Microsoft Teams, Slack, Bloomberg, Thomson Reuters, Symphony, and similar applications. This allowed organizations to meet their regulatory obligations, while providing employees with more communication options.
In parallel, the availability and use of messaging applications, such as Signal, WhatsApp, iMessage, WeChat, and similar, became commonplace. WhatsApp alone has nearly 3 billion monthly active users globally. These messaging applications were designed for mass consumer adoption, for their simplicity, and for their security including end-end encryption.
However, they were not designed as enterprise applications to fit in a compliance control plane. In fact, these messaging applications generally do not have built-in mechanisms designed for record retention, and capture for compliant data archiving.
Secure Messaging App Guidelines for Regulated Industries
It is important to understand that the regulatory record keeping requirements are not simply about storing some object for a requisite amount of time, it must be accessible via search for eDiscovery and regulatory inquiries. In addition, these interactions are subject to Supervision and Surveillance requirements for many financial services firms. This means a decrypted form of the communication must be available for search indexing, and for analysis by Supervision/Surveillance tools.
It is important to note that modern archiving platforms encrypt data in motion and at rest, but the object is decrypted for operations such as indexing, supervision/surveillance, investigation and review functions.
Security has been a significant driver for the adoption of these mass messaging tools, especially via the use of end-end encryption. With this approach, only the sender and the intended recipient(s) can decrypt the data. Capturing the encrypted form of the object at any point in between the two end-points, only gives an unintelligible and unusable copy.
So how do regulated firms and government agencies capture communications from end-end encrypted messaging applications, never designed for compliant record keeping? These approaches differ depending on the architecture of each messaging platform and the capabilities of the mobile messaging archiving tools—but all involve some form of intermediary, such as:
- A dedicated application that moderates the communications between the messaging application and the end user
- Clone-applications that are based on the original (e.g,. TM Signal v. Signal), but have capture or governance capabilities
- Registering end-user credentials with an intermediary service to capture interactions (e.g., iMessage)
- Through the cellular carrier (text messages)
The one thing that is common among all the approaches is that a decrypted form of the interaction has been captured, somewhere in the end-end flow, which can then be routed to compliant archives or other record keeping systems. This is where the tension between security and compliance is introduced. If security were the only concern, there would be no need to introduce a mechanism to capture a decrypted object somewhere in the flow. But regulatory requirements obligate firms to capture digital communications relevant to their business, or operations of a government agency occurring in these channels.
Ironically, the SEC previously confronted this tension and came down on the side of security. Historically, the SEC rules required that a designated third-party had access and capability to retrieve and produce data, on behalf of regulated firms, if they were unable or unwilling to do so.
As the SEC considered updates to its recordkeeping requirements, it received significant feedback from the industry highlighting the security risks posed by the third-party access rule. Firms expressed concern that requiring external entities to have access to core systems introduced unnecessary vulnerabilities. In response, the Commission revised its position, removing the third-party requirement as long as internal personnel could perform the same functions. The Commission agreed, and removed the third-party requirement, so long as internal individuals could fulfill the same role.
This is not to say that we cannot have highly secure capture from these messaging applications. The industry has a decade plus of doing so in various forms, at scale, and with high degrees of integrity. But the proliferation of mass market messaging applications that are not designed to fit within an enterprise infrastructure adds complexity, especially in trying to balance the security and compliance equation.
10 Recommendations for Secure Messaging App Guidelines
- Review all the communications channels that are being used by employees
- Make sure policies clearly identify what channels are permitted or prohibited
- Determine whether approved communication channels need to include these consumer-based messaging applications, or how they can be limited
- Understand, in detail, the capture mechanism being used for each of the messaging applications
- Verify anywhere copies of captured communications are generated, and stored even on a transient basis (prior to archiving), especially any decrypted data
- Review credential management and authentication with capture vendors
- Ask vendors for any third-party testing, penetration testing, and vulnerability management processes used for deployed products
- Revisit third-party risk assessments that were conducted for capture tools
- Have legal teams review agreements for capture vendors, any representations or warranties that were provided, and indemnity and liability provisions
- For impacted firms, engage outside counsel to consider whether any disclosures are required under various state or federal statutes or regulations
|
Data Archiving Considerations for Encrypted Messaging Apps
As we look across the current state of encrypted messaging, several implications emerge for organizations charged with secure communications capture and compliant record keeping:
- Reassess potential attack vectors in light of emerging threats and verify that current controls and security measures are effective and up to date.
- Reevaluate internal policies governing the use of encrypted messaging applications, weighing usability and productivity against regulatory and compliance risk.
- Anticipate that messaging platform providers may introduce new restrictions that limit third-party data capture capabilities, potentially affecting compliance workflows.
- Recognize that threat actors are increasingly targeting compliance and record-keeping systems—areas that were once considered low-risk but now represent critical vulnerabilities.
Need a Mobile Archiving Replacement Service? Try Archive360
Perhaps the greatest irony is that scores of regulated firms and government agencies are now out of compliance. Given the hack, TeleMessage suspended their service, to prevent further risk or penetration. As of this writing, there is no timeline to bring the service back online. Millions of digital interactions daily from these messaging applications are not being captured, which is where this problem first started.
Concerned about regulatory record keeping? Schedule a consultation with an Archive360 expert.