The honest answer: yes, WhatsApp is encrypted
Let us start where most articles on this subject get it wrong. WhatsApp messages are end-to-end encrypted in transit, and that protection is genuinely strong. For the journey between two phones, it is better than ordinary email. So if a client asks “is WhatsApp not secure?”, the technically accurate answer is that the message itself is well protected on the wire.
That is also why “WhatsApp is insecure” is the wrong argument to make to a client, and why a regulated professional should not rely on it. The question a solicitor or financial adviser actually has to answer is different. It is not “is this message encrypted in transit?” It is “can I keep this client’s information confidential, keep the records I am required to keep, and delete the information when I should?” Those are the tests your regulator applies, and transit encryption answers none of them.
The distinction that matters
Encryption in transit protects the message while it travels. Your professional duties are about what happens to the document after it arrives: where it is stored, who can reach it, whether there is a record, and how it is deleted. WhatsApp was not built for any of that.
Solicitors: the SRA confidentiality duty does not stop at 'encrypted'
Paragraph 6.3 of the SRA Code of Conduct for Solicitors, RELs and RFLs requires you to keep the affairs of current and former clients confidential unless disclosure is required or permitted by law, or the client consents. In its guidance on confidentiality of client information, the SRA notes that the courts treat this as an unqualified duty: a duty to keep the information confidential, not merely to take reasonable steps to do so.
That word, unqualified, is the problem with WhatsApp. Once a client’s bank statement or passport scan lands in a WhatsApp thread, it sits on that device indefinitely, syncs into a cloud backup you do not control, and can be forwarded in two taps. You have not lost control because anyone did anything wrong. You have lost control because the channel is designed to keep and spread content, not to contain and delete it. If a personal phone is lost, sold or seized, the confidential material goes with it.
There is no SRA rule that names WhatsApp and bans it. The point is narrower and harder to argue with: if your duty is to keep information confidential, you need a channel that lets you actually do that. A one-time, auto-deleting secure link does. A persistent chat thread does not.
Financial advisers: the FCA cares about records, not just secrecy
For FCA-regulated firms the issue has a second dimension: recordkeeping. The FCA’s SYSC 10A rules require certain business communications to be recorded and retained in a form that can be reproduced. Messages sent over WhatsApp, Signal or personal email sit outside approved systems, and the regulator has a name for them: off-channel communications.
This is not a theoretical concern. The FCA ran a dedicated multi-firm review of off-channel communications at wholesale banks, and has surveyed firms about breaches of their unmonitored-messaging policies. The supervisory expectation is blunt: if a firm chooses to allow encrypted messaging, it must have the means to capture those communications and reproduce them. WhatsApp on a personal phone gives a firm no reliable way to do that.
It is already being enforced
In 2023, Ofgem fined a firm for failing to record and retain trader communications sent through WhatsApp. UK regulators are treating off-channel messaging as a recordkeeping failure in its own right, separate from any underlying misconduct.
The takeaway for an adviser is that even a perfectly innocent document exchange over WhatsApp can be a compliance problem, because the failure is the lack of a capturable, reproducible record, not the content of the message.
Collect and send client documents without WhatsApp
One-time encrypted links that auto-delete after download, with a clear record of what was sent and when. UK data residency.
UK GDPR: encryption is one measure, not the whole test
Both solicitors and financial advisers are also data controllers under UK GDPR, and bank statements, passports and identity documents are exactly the kind of personal data that attracts scrutiny. The ICO’s security guidance sets out the security principle in Article 5(1)(f) and the requirement in Article 32 to use appropriate technical and organisational measures.
Notice what “appropriate measures” covers. It is not satisfied by transit encryption alone. It includes the ability to limit access, to ensure data is not kept longer than necessary, and to restore or remove it. WhatsApp gives you the first part and almost none of the rest. There is no way to set an expiry, no controlled deletion once a file is downloaded, and no log of who accessed what. A secure document platform is, in effect, the “appropriate measure” the regulation is asking for.
The four gaps that catch regulated firms
Strip away the regulation and the practical problems with WhatsApp for documents come down to four things, none of which transit encryption fixes:
1. Backups are not end-to-end encrypted by default
WhatsApp added end-to-end encrypted backups in 2021, but it is an opt-in setting that requires the user to enable it and safeguard a password or 64-digit key. Until someone does that, chat history, including documents, can be backed up to iCloud or Google Drive without the same end-to-end protection.
2. The document never goes away
A file in a chat thread stays on both devices for as long as the thread exists. There is no expiry and no automatic deletion. “Keep only as long as necessary” becomes impossible to honour.
3. One tap to forward
Anything received can be forwarded, screenshotted or saved to the camera roll instantly. You cannot contain a document once it is in someone else’s chat app.
4. No audit trail
There is no reliable, exportable record of what was sent, to whom, and when it was opened. For an FCA firm that is a recordkeeping gap; for any controller it makes a subject access request or breach investigation far harder.
How to keep WhatsApp and still stay compliant
The good news is that you do not have to fight your clients’ habits. Clients like WhatsApp because it is fast and they already have it open. You can keep that convenience and lose the compliance risk with one change: send a secure link through WhatsApp, not the document itself.
The compliant pattern
- Create a one-time, encrypted upload or download link.
- Paste that link into WhatsApp, the way you already would.
- The document is encrypted in the browser, downloaded once, then deleted from the server.
- You keep a record of the request and the collection, not a copy sitting in a chat thread.
This is exactly how FileSeal is designed to work. The link is the thing that travels over WhatsApp; the file lives in an encrypted, single-use seal that deletes itself after download. You paste the secure link into WhatsApp the way you would any other message, so the client experience is barely different, but the document itself is never the thing sitting in the chat.
For a broader look at the business and client-trust case beyond the regulatory duties, see our companion piece on WhatsApp for business documents. If you want a fuller checklist for legal practice specifically, the solicitor document security checklist covers the wider GDPR picture.
This article is general information about professional and data-protection obligations, not legal or compliance advice. Your own regulator’s rules and your firm’s policies take precedence; check them before setting policy.
Frequently asked questions
Is WhatsApp encrypted enough for client documents?
WhatsApp messages are end-to-end encrypted in transit, which is genuinely strong for the journey between two phones. But the regulatory test is not “is the message encrypted in transit”. It is whether you can keep the information confidential, retain a proper record where required, and delete it when you should. Cloud backups are not end-to-end encrypted by default, files persist on the recipient’s device, and there is no audit trail or controlled deletion. That is where WhatsApp falls short for regulated work.
Can solicitors send client documents over WhatsApp?
There is no outright SRA ban, but paragraph 6.3 of the SRA Code of Conduct requires solicitors to keep client affairs confidential, and the courts have described this duty as unqualified. Using a channel where files sit indefinitely on personal devices and in unencrypted cloud backups makes that duty harder to discharge. Most firms restrict WhatsApp to general contact and move documents to a secure, deletable channel.
What do the FCA rules say about WhatsApp for financial advisers?
The FCA’s SYSC 10A recordkeeping rules require certain business communications to be recorded and retained in a form that can be reproduced. Business messages sent over WhatsApp or other personal apps (‘off-channel communications’) sit outside approved systems and have been the subject of a dedicated FCA multi-firm review. Firms that allow encrypted messaging are expected to be able to capture and reproduce those records.
Keep the convenience. Lose the compliance risk.
Send the link over WhatsApp, never the document. One-time encrypted seals that auto-delete after download, with UK data residency. Free trial, no card needed.
Written by the FileSeal security and compliance team. We specialise in document security, GDPR compliance, and data protection for UK professionals. Our guides are reviewed by industry practitioners and updated regularly.