Dima Gutzeit is the Founder and CEO of LeapXpert, a leader in digital communications governance serving enterprises across 45+ countries.gettyEvery enterprise has a version of the same communication problem. The official policy says one thing. The business often does another.A client sends a WhatsApp message because it is faster. A relationship manager replies because serving the client immediately feels more important than moving the conversation into an approved channel. A group chat appears because a decision needs to move quickly. A private thread continues because everyone involved already knows where to find it.In the heat of the moment, it just looks like work is getting done. The problem shows up later, when someone asks for the record and the company realizes the conversation sits in a personal app, on an employee’s phone, outside the systems meant to protect it.If a company cannot account for important conversations, people start to question what else it cannot see.The Warnings Are Already ThereFinancial firms have already had years of warnings. In 2022, the SEC charged 16 Wall Street firms with widespread recordkeeping failures after finding “pervasive” off-channel communications. The firms agreed to pay more than $1.1 billion in combined penalties. In January 2025, another 12 firms agreed to pay more than $63 million after SEC investigations again found the use of unapproved communication methods.The FCA’s recent review of 11 wholesale banks shows why the issue keeps resurfacing. Every firm had improved its approach, yet most still recorded breaches of internal policy. Eight firms reported 178 breaches over the previous 12 months, and 41% involved people at director grade or above. The review points to a problem firms recognise but still struggle to change: Finding off-channel messages is easier than changing the incentives that drive people to use them.Regulators Are Becoming More PrescriptiveThe UAE shows where this may be heading. The Central Bank has reportedly ordered licensed financial institutions to stop using WhatsApp and other instant messaging apps for financial services or customer data sharing, with firms required to comply from April 30, 2026.If customers are used to sending documents, service requests or payment questions through consumer messaging apps, firms need an alternative that is clear, fast and trusted. The official rule can change overnight. Customer behavior usually does not.Policy Is Only Part Of The AnswerI first saw this gap clearly in Hong Kong. Business conversations were already happening around me on WhatsApp and WeChat, while regulated firms still had obligations to retain and supervise communications. People were using the channels clients already used rather than waiting for a better enterprise tool to arrive.Companies cannot govern the version of communication they wish people used. They have to govern the version employees and customers use every day. A ban may be necessary where customer data, transaction instructions or authentication details are involved. But a ban by itself leaves a vacuum. If the approved route is slower, confusing or poorly adopted, old habits return quickly.The better question is: Where should this conversation go instead?Start With The Working DayCompanies need to map what is actually happening. Which channels are employees using now? Which ones are clients pushing them toward? Which conversations involve regulated activity, customer data or commercial decisions? Which are only logistics?Staff should not have to improvise every time a message arrives in the wrong place. If a client sends documents over WhatsApp, the employee needs to know whether to move the exchange, capture it, report it or stop it. If a senior colleague starts a private side chat, the employee should know where the line is and who will back them for holding it.Security infrastructure has to support those choices. When a company allows a channel for business, it should know where the record goes, who can review it and how it would be found later. Messages cannot live only on an employee’s phone. A firm also needs to know what happens when someone sends a dangerous link, shares sensitive information with the wrong contact or moves a conversation out of a recorded channel.Test What Happens Under PressureFirms need to test the vendors and systems they rely on. The FCA review pointed to problems with third-party providers, including outages, reconciliation issues and delayed or missing records. A vendor may provide the system, but the firm still owns the risk when records cannot be trusted or retrieved.Culture is where policies often break. Staff take their cue from the people above them. If senior managers move sensitive conversations into unofficial channels when pressure builds, the written rule loses authority quickly.People also need a safe way to raise mistakes early. If every misstep feels like a disciplinary issue, staff will keep quiet until the problem is harder to fix. Training has to sound like the working day, not like a paragraph from a policy document.Useful training is specific. What should an employee do when a client insists on WhatsApp? What happens when the approved platform is down? How should someone respond when a senior colleague asks for a quick answer in a private chat?The Board’s RoleBoards should ask better questions. Where are employees actually communicating? Are approved routes usable? Are senior people following the same rules? Can we retrieve the records? Do vendor systems work reliably? What does breach data tell us about behavior rather than just detection?They should also ask what happens after a problem is found. An honest and substantive response needs facts: which channel was used, who was involved, whether the record was captured, what data was shared and what has changed since. A polished statement will not protect a firm that cannot explain the underlying record or produce it.Messaging now carries client instructions, approvals, documents, complaints and commercial discussions. When those records cannot be found, the risk has moved beyond the app.After years of fines and warnings, the persistence of off-channel communication should tell leaders something: Companies need communication routes that reflect how business is actually done, then govern those routes properly.​ Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?