GDPR-Compliant SMS and WhatsApp Marketing for Financial Services: What's Allowed and What Isn't

Financial services firms occupy a special position under GDPR. The data they process — transaction histories, credit information, investment portfolios, health-related insurance data — qualifies as sensitive or highly personal in the eyes of EU regulators. The ICO, CNIL, BaFin, and equivalent national supervisory authorities apply greater scrutiny to financial services marketing communications than to most other sectors.

This does not mean that SMS and WhatsApp marketing are off-limits. It means that the compliance framework must be built correctly from the start — consent must be specific, records must be maintained, and the distinction between service communications and marketing must be consistently respected.

The Critical Distinction: Service vs. Marketing

The most important compliance concept for financial services messaging is the distinction between service communications and marketing communications. These have different legal bases, different consent requirements, and different obligations.

Service communications are messages the customer needs to manage their relationship with you:

• Transaction confirmations
• Fraud alerts and security notifications
• Payment status updates
• Policy renewal reminders (factual, not promotional)
• Statement availability notices
• Regulatory disclosures

Service communications can typically be sent under the legitimate interests legal basis (Article 6(1)(f) GDPR) or under contract performance (Article 6(1)(b)), provided they are genuinely necessary for the service relationship and the customer could reasonably expect them. Explicit marketing consent is not required for pure service communications.

Marketing communications are messages designed to promote products or services:

• Cross-sell offers (“You might also like our contents insurance”)
• Promotional campaigns (“This month only — reduced premium for new car insurance”)
• Product launches (“Introducing our new investment ISA”)
• Up-sell prompts (“Upgrade to Premium for additional cover”)

Marketing communications require explicit, granular opt-in consent (Article 6(1)(a) GDPR). The consent must name the specific channel (SMS, WhatsApp), the type of messages, and the product categories covered.

Consent Standards for Financial Services

Basic GDPR consent requirements apply to all sectors: freely given, specific, informed, unambiguous. In financial services, two additional standards raise the bar.

Granularity: Bundled consent (“I agree to receive marketing from [Bank Name]”) is insufficient. The consent must specify the channel (SMS, WhatsApp, email), the message type (product offers, promotional campaigns, market commentary), and where relevant the product category (insurance products, investment products, loans).

Separation from service terms: Consent to marketing cannot be buried in the general terms and conditions of a current account, insurance policy, or investment agreement. It must be presented separately, with the option to decline marketing without affecting the service relationship.

Documentation: The consent record must capture: the exact wording of the consent request, the date and time of consent, the channel through which consent was given, and the version of the consent form. This record must be retrievable if a customer or regulator challenges the basis for a communication.

WhatsApp-Specific Obligations

WhatsApp Business API adds a layer of platform requirements on top of GDPR:

Template pre-approval: All outbound messages to customers must use pre-approved message templates (for the first message in a conversation or for messages sent outside a 24-hour active conversation window). Templates are reviewed by Meta and must not be promotional in nature unless the customer has initiated the conversation.

24-hour window: Once a customer sends a message to the business WhatsApp, a 24-hour window opens during which the business can send free-format messages. Outside this window, only approved templates can be used. For financial services, this means planned marketing campaigns must use templates, while service responses can be more conversational.

Opt-out mechanics: If a customer sends “STOP” or an equivalent phrase, the business must not send further marketing messages via that channel. The opt-out must be reflected in the CRM immediately and durably.

Record-Keeping for Regulatory Requests

Financial services firms must be able to demonstrate compliance on request from a supervisory authority. This means maintaining:

• Complete consent records per customer per channel
• Full message logs (sent, received, delivery status, timestamps)
• Opt-out records with timestamps
• Evidence of complaint handling related to unsolicited messages

A CRM that logs all WhatsApp and SMS interactions automatically, maintains consent records per customer, and generates compliance reports on demand is not a luxury — it is the practical infrastructure required to operate this channel at scale without regulatory exposure.

For the full WhatsApp implementation framework for banking, see WhatsApp for Banking Customers: Compliance, Open Rates, and Real Results. For how to structure consent collection at onboarding and renewal, see Insurance Cross-Sell Automation: From Policy Renewal to Upsell in One Workflow.