In my experience it's simply down to convenience rather than malice. You have all your colleagues phone numbers, you know that a whatsapp is going to fire a notification that will get noticed whereas an email may not.
Or that email will go to the "work phone" which isn't sitting on the sideboard somewhere rather than in the person's pocket.
That said, there aren't any banks that don't have a comprehensive employee training program on security and compliance, so "I didn't realise" isn't going to be a valid excuse.
That's not to say that there isn't any deliberately malicious use going on, but it's unlikely that malicious use would be uncovered.
I think the record is pretty good for banks switching behaviour after being fined for a specific failing. They do know that if they get caught doing the exact same thing again, the punishment will be more costly.
It's far cheaper (and more deniable) to find a slightly different way round the regulations, see if/when you get fined for that, then move on to something else again...
Or that email will go to the "work phone" which isn't sitting on the sideboard somewhere rather than in the person's pocket.
That said, there aren't any banks that don't have a comprehensive employee training program on security and compliance, so "I didn't realise" isn't going to be a valid excuse.
That's not to say that there isn't any deliberately malicious use going on, but it's unlikely that malicious use would be uncovered.