“Federal prosecutors will look for data preservation mechanisms that allow companies to identify, investigate, report, and remediate employee misconduct and legal violations. Companies that lack policies regarding employees’ work-related use of personal cellphones and messaging apps should expect steeper penalties for misconduct.”
– Troutman Pepper
This week, we consider how electronic messaging applications continue to be a focus of the U.S. Department of Justice (DOJ) and the policies that have been developed. As a result, we explore how firms must update their compliance policies to address off-channel and encrypted electronic communication to ensure all communication remains compliant and that their retention practices adhere to the guidelines—and the potential consequences of failing to do so.
Encrypted Electronic Instant Messaging Applications Continue to Catch the Government’s Attention
The DOJ Criminal Division has updated its guidance on corporate compliance programs to include policies governing corporate employees’ use of personal devices and third-party messaging platforms. The guidance advises that prosecutors consider a company’s policies when assessing the effectiveness of its compliance program and determining how to resolve investigations of corporate misconduct. The guidance notes that relevant policies should be tailored to a company’s risk profile and business needs and ensure that business-related electronic data and communications are accessible and amenable to preservation by the company. Companies lacking policies in this area should expect steeper penalties for misconduct. In addition, companies will benefit from strong and efficient procedures for conducting internal investigations and gathering business communication relevant to litigation.
Tip for Updating Your Compliance Program: Electronic Communications
Compliance officers are required annually to update the firm’s compliance program to reflect changes to relevant regulations and confirm the program is appropriately followed. Investment advisers should prepare for further SEC scrutiny of their employees’ use of electronic communication platforms. The SEC is investigating record-keeping violations resulting from employees’ use of private communications channels for business, focusing on investment advisers and mutual funds. To address this, investment advisers should poll employees to find out what messaging apps they use to communicate with clients and perform a gap analysis. Additionally, they should review current communication policies, train employees about firm policies, and consider more frequent attestation, periodic training, and personal device monitoring.
New DOJ Policies About Messaging Apps and Clawbacks Threaten Compliance Departments’ Standing
The DOJ Criminal Division revised its Evaluation of Corporate Compliance Programs (ECCP) to emphasize the importance of preserving communications made via personal devices and messaging apps and compliance incentives and executive compensation disincentives. While both issues are relevant to compliance efforts, the DOJ’s focus may need to be more practical and could detract from compliance departments’ more critical work. In addition, the burden of enforcing policies that are difficult or impossible to enforce may also damage compliance departments’ credibility.
Off-Channel Communications: Compliance Policy Considerations
The SEC has taken enforcement actions against Wall Street firms for using “off-channel” communications by their supervised persons. The SEC alleges that registered firms failed to adopt and implement written policies and procedures reasonably designed to meet recordkeeping requirements. Methods to consider include periodic training, annual attestation of compliance, ongoing monitoring, and policy drafting considerations. In addition, advisers should communicate their policies to advisory personnel, keep track of approved messaging platforms and cloud storage, and ensure that advisory personnel uses only these approved methods for external communications for advisory firm business.