.png)
If employees are choosing to take business communications off approved channels in favour of platforms that include ephemeral or self-deleting messaging options, the question is why? Is it because of convenience and ignorance? Or does it indicate an intention to cover up improper behaviour? Given that the range of communication channels continue to expand and hybrid working patterns are here to stay, have the risks and consequences of this been fully grasped across organisations?
In 2023, following a slew of enforcement actions, regulatory guidance emerged on the use of off-channel communications and ephemeral messaging in the corporate workplace, where regulators and prosecutors made clear that companies who fail to have appropriate risk-based controls in place to proactively address these issues will face consequences. This year, regulators and prosecutors continue to use a carrot and stick approach to reinforce expectations.
The threat of legal or financial repercussions is a clear impetus to act, but many companies are still grappling with designing policies and deploying tools that balance regulatory expectations with the organisation’s own risk profile and business profitability.
Regulatory enforcement and emphasis continue across sectors
We wrote last October that total penalties imposed by the SEC and CFTC between December 2021 and September 2023 had reached approximately $2.7 billion. The US financial regulators continued their charge with the announcement earlier this year of more than $81 million in settlements to be paid for recordkeeping failures by 16 different financial service firms. In another significant step announced in April 2024, the SEC took its first action against an investment advisor without broker-dealer ties. The firm agreed to a $6.5 million penalty and “to implement improvements to its compliance policies and procedures”.
The scale of the problem for financial services is all the more surprising in light of long-established monitoring and retention requirements by regulators in this sector. Major firms with an abundance of resources such as Blackstone, TPG and Carlyle are reportedly next in line to announce SEC settlements for failing to comply.
But the challenge is no longer one in which companies outside financial services can “feign ignorance”, as warned by Manish Kumar, Deputy Assistant Attorney General of the US DOJ’s Antitrust Division. In January 2024, the DOJ and FTC updated language in their standard preservation letters and specifications to address off-channel and ephemeral messaging platforms. The revised language is said to be designed to “reinforce longstanding obligations requiring companies to preserve materials” during government investigations and litigation. Taken together with last year’s incorporation of language related to off-channel communications into the DOJ’s Evaluation of Corporate Compliance Programs, we can see the DOJ gradually reinforcing its line on the seriousness of the risk to investigations and regulatory compliance.
The ‘stick’ of enforcement is, however, being balanced by the ‘carrot’ of rewarding self-reporting. For example, Sanjay Wadhwa, deputy director of the SEC’s enforcement division, recently said that out of the many factors that play into a settlement figure, self-reporting was “most likely to significantly lower the penalty”. Of the 16 firms charged in February 2024, the one that self-reported received a significantly lower penalty ($1.25million) than the others ($8million to $16.5million).
Elements to a successful integrated compliance approach
The key to avoiding the risk of substantial penalties is an approach which combines technology with risk-based compliance policies, enhanced corporate culture, training and monitoring. The SEC noted that the wrongdoing by the abovementioned 16 financial service firms involved “multiple levels of authority, including supervisors and senior executives”. This led to firms being required to retain independent compliance consultants to review policies and procedures “relating to the retention of electronic communications found on personal devices and their respective frameworks for addressing non-compliance”.
This holistic approach applies beyond SEC-regulated companies, given that the DOJ’s remit covers all companies and not just regulated ones. All companies must decide how to balance their resources and business requirements against their risk exposure. It is particularly important for global companies to take a cross-border perspective from the outset. Whilst to date it has been the US authorities’ taking the lead on enforcement on this issue, it is only a matter of time before related concerns are addressed in other major jurisdictions. Data privacy laws and culture in different jurisdictions could also have significant impact on any firm-wide policy changes.
Aside from regulatory pressure, ephemeral messages and off-channel communications will likely impede companies’ ability to conduct effective internal investigations too, particularly as messaging apps compete to offer individual users’ even higher levels of privacy and encryption. Launch the conversation now to stay on top of your company’s exposure to this ever-evolving risk.
Existing SEC and DOJ guidance
To help structure the many factors that need to be considered, we share existing guidance from the SEC containing five key elements:
- Communications policies and procedures: Establish a cross functional governance group to include IT/Information security and legal. Questions to address include the pros and cons of Bring Your Own Device (BYOD), understanding employees’ current apps of choice, and how to respond to emerging technology.
- Training and awareness: Is your training giving employees an effective understanding of the importance of using approved communication channels and the consequences of non-compliance? Regular updates and refresher courses are critical for regulators.
- Monitor and audit preservation and archiving: Do you have the means to regularly check for completeness, accuracy, and retrievability? Have you implemented robust security measures to protect the archived data from unauthorized access, tampering, or loss?
- Surveillance and monitoring of communications: Leveraging technology such as machine learning can be invaluable and cost beneficial, flagging potential risks in real-time for additional review before they escalate. Technology-enabled monitoring will require continuous updating of any models or algorithms to capture the latest intelligence and advancements
- Strengthen prevention and detection measures: To demonstrate to regulators and stakeholders that a company is fulfilling its responsibilities, firms must document the discrepancies and non-compliance identified through surveillance and monitoring – whether in the systems, technology, or employee behaviour – and show they are addressed promptly.
The DOJ approach, now set out in its 2023 edition of the Evaluation of Corporate Compliance Programs, is broadly similar to that of the SEC, emphasising that policies governing messaging applications can be tailored to the corporation’s risk profile and specific business needs but that to “the greatest extent possible” companies must be able to preserve business-related data. Communication and training on the policies are also key, as is demonstrating the enforcement of related procedures on a “regular and consistent basis”. In line with other parts of the guidance, the DOJ also places weight on whether appropriate disciplinary measures have been applied to those found to have violated policies and procedures.
Technology, including ephemeral messaging and off-channel communications, is here to stay. More features that will threaten organization’s control environment will become available. Companies need to be vigilant in keeping up with new advancement and proactively consider controls that would serve them best.
Hear more from the authors on our recent webinar, exploring key risks, proactive strategies and technology solutions for handling ephemeral messaging.
.webp)
