[bennyelv]

In my experience it's simply down to convenience rather than malice. You have all your colleagues phone numbers, you know that a whatsapp is going to fire a notification that will get noticed whereas an email may not.

Or that email will go to the "work phone" which isn't sitting on the sideboard somewhere rather than in the person's pocket.

That said, there aren't any banks that don't have a comprehensive employee training program on security and compliance, so "I didn't realise" isn't going to be a valid excuse.

That's not to say that there isn't any deliberately malicious use going on, but it's unlikely that malicious use would be uncovered.