An examination of how Sri Lankan enterprises have defaulted to personal WhatsApp accounts for customer operations, the compliance and data trail risks this creates under CBSL expectations, and why IT teams keep losing the argument to revenue-generating sales and ops functions, with an assessment of what the eventual reckoning looks like.
There is a conversation happening right now between a customer and someone at a large Sri Lankan company. It is happening on WhatsApp. The number the customer is messaging belongs to an employee who joined eighteen months ago, built a book of relationships, and is currently in their notice period.
The company does not know what has been promised in that chat history. They cannot access it. When that employee's SIM goes with them out the door, that entire thread - commitments, complaints, escalations, personal data - goes too.
This is not a fringe case. This is how a significant portion of enterprise customer operations actually runs in Sri Lanka today.
How Customer Operations Actually Work in Colombo Right Now
If you walk into any mid-to-large enterprise in Colombo and ask how the sales or service team communicates with customers, the official answer will usually reference email, a CRM, maybe a ticketing system. The real answer, the one you get when you talk to someone on the floor, is WhatsApp.
This is not surprising. WhatsApp is where Sri Lankan customers actually are. Response rates are faster. The interface is familiar. Customers reply to a WhatsApp message when they would ignore an email for three days. From a pure friction standpoint, it works.
So teams default to it. Not because someone made a policy decision. Because it solves the immediate problem of getting a customer to respond.
The result is a patchwork of personal numbers, personal devices, and personal accounts holding conversations that are, in any real sense, company business. Customer complaints. Sales commitments. Document exchanges. Sometimes sensitive financial or health-related information.
Nobody formally approved this. Nobody formally stopped it either.
When the Employee Leaves, So Does Everything They Knew
Here is where it gets expensive.
When a relationship manager, sales executive, or service agent leaves a company, they take three things: their knowledge, their relationships, and their WhatsApp chat history. The first two you expect to lose. The third one most companies have not properly accounted for.
A customer who has been dealing with a specific person for two years does not necessarily know who to call next. They have a number saved. They message it. If that person has left, one of three things happens: the message goes unanswered, the former employee responds personally, or the SIM has been recycled and someone entirely unconnected receives it.
For the company, the situation is worse than just losing contact. There is no record of what was discussed. No record of what was promised. No audit trail of what documents were shared. If a customer later disputes a commitment - a loan term, a service level, a price agreed over chat - there is nothing to refer to.
In regulated industries, that is not just operationally messy. It is a liability.
I have spoken to enough people at enterprise companies here to know this happens regularly. The response is usually to onboard the customer again from scratch, apologize for the inconvenience, and hope the customer does not escalate. Most do not. Some do.
What the Central Bank's Compliance Posture Actually Expects
The Central Bank of Sri Lanka has been moving steadily in the direction of requiring licensed financial institutions to maintain clear, auditable records of customer communications. The Direction on Customer Due Diligence, the circulars around consumer protection, and the broader expectations embedded in AML and KYC frameworks all point toward the same underlying principle: if you communicated something to a customer as part of a financial transaction or relationship, you need to be able to produce it.
Personal WhatsApp does not meet that bar. It cannot meet that bar.
There is no centralised archive. There is no access control. There is no way to retrieve a conversation from a former employee's personal phone as part of a regulatory review without involving that former employee, assuming they still have the data and are willing to cooperate. The data residency of the conversation is sitting on servers outside Sri Lanka, governed by Meta's terms of service, not yours.
Banks and insurance companies in Sri Lanka are not necessarily unaware of this. What I observe is something closer to deliberate avoidance - a choice not to document the gap formally because documenting it creates an obligation to fix it. Compliance teams raise it quietly. IT raises it. And then the conversation stalls because the operational dependency on WhatsApp is real and there is no obvious approved alternative.
So the risk sits there, undeclared.
Why IT Keeps Losing the Argument to Sales and Operations
IT departments at Sri Lankan enterprises are not unaware of this problem. In many cases they have been raising it for years. The reason it persists is structural.
The person who owns the WhatsApp relationship with a key client is usually a revenue-generating employee. Sales managers, relationship managers, senior account handlers. These are not people IT can simply instruct to change their workflow. They are often protected by the fact that their customer relationships are commercially valuable.
When IT proposes a migration to a compliant platform, the immediate pushback is practical: customers are on WhatsApp, customers will not download a new app, response rates will drop, relationships will be disrupted. Some of this is genuine. Some of it is the comfort of a familiar tool dressed up as customer necessity.
The deeper issue is that IT in most Sri Lankan enterprises sits in a cost centre, not a revenue centre. When there is a conflict between a tool that generates revenue and a policy that manages risk, the organisation's implicit incentive structure almost always favours the revenue side - until the risk materialises into something that cannot be ignored.
A compliance breach, a data dispute, a regulatory inquiry. That is usually what it takes.
Meanwhile, the data continues to sit on personal devices, outside company control, and the gap between where operations actually run and where they are supposed to run gets wider.
The Gap Between How Sri Lankan Enterprises Communicate and How They Are Required To
This is not purely a Sri Lanka problem, but it has specific characteristics here that make it more acute.
First, the mobile-first nature of Sri Lankan consumer behaviour means customers have genuinely high expectations for WhatsApp responsiveness. It is not a fringe channel. For a large portion of the customer base, it is the primary one. Telling a company to simply stop using WhatsApp is not a realistic suggestion - it would break customer relationships immediately.
Second, enterprise software built for Western markets assumes an infrastructure baseline that does not always translate here. CRM tools built for English-language markets do not handle Sinhala or Tamil input well. Customer service platforms assume data residency and connectivity conditions that do not reflect local reality. So when IT goes looking for compliant alternatives, the options that exist are either too expensive, too complicated to integrate, or simply not built for the local context.
Third, the enterprise culture around compliance in Sri Lanka is still maturing. This is not a criticism - it reflects where the market is in its development. The regulatory pressure is real and increasing, but the institutional muscle for operationalising compliance inside customer-facing teams is still being built. Most companies know roughly what is required. Far fewer have built the internal systems and culture to actually deliver it.
The result is a genuine infrastructure gap. The communication channel that works for customers is WhatsApp. The infrastructure WhatsApp sits on is unsuitable for enterprise compliance. The alternatives available have historically been poorly adapted to the local context. So the gap persists, and everyone quietly operates inside it.
What Happens When This Gets Forced
At some point, this does get forced. Regulatory pressure on financial institutions in Sri Lanka is not decreasing. Consumer protection expectations are rising. As digital transaction volumes increase, the scrutiny on how those transactions are communicated, committed to, and recorded will increase with them.
When that reckoning comes for an individual institution - through a regulatory inquiry, a customer dispute that escalates publicly, or an internal audit that can no longer be quietly shelved - the scramble to retrofit compliance onto an existing WhatsApp-based operation is not a comfortable process.
It requires rebuilding customer relationships on new channels, often with no historical continuity. It requires accepting a transition period where existing informal channels have to be wound down before new formal ones are fully operational. And it requires getting sales and ops teams to change daily habits that have been built over years.
None of that is impossible. But doing it reactively, under pressure, is significantly harder than doing it proactively.
The companies that move before they are forced to will retain more control over how that transition happens. They will be able to migrate relationships deliberately rather than abandon them. They will be able to set internal norms before an external regulator sets them instead.
This problem is not complicated to understand. The gap between knowing and doing is the thing that is actually hard.
For now, the conversations keep happening on personal WhatsApp. The employees keep leaving. And the chat histories keep disappearing.