The widespread use of personal devices and messaging platforms by all employees has become a compliance issue that challenges the whole company
Last year, the U.S. Securities and Exchange Commission (SEC) levied $2 billion in fines to Wall Street firms for failing to have systems and controls in place for messaging platform use. The U.S. Department of Justice (DOJ) has now weighed in with its view that personal devices and third-party messaging applications pose “significant compliance risk”, and the agency wants companies of all kinds to develop strong policies to address that risk.
Prosecutors should consider whether companies seeking cooperation credit in an investigation have policies to permit the collection of all non-privileged documents including data on telephones, tablets, or other devices used by employees for business, said Lisa Monaco, the deputy U.S. attorney general, in a September 2022 memorandum.
David Sharfstein, a partner at Hogan Lovells in Washington, D.C., agrees that this issues has become a compliance focus. “The number of communication mechanisms has exploded in the last several years,” says Sharfstein. “Many of those are ephemeral now, and I think what everyone in the market and all the regulatory authorities are thinking about is back when the issue was text messaging, and back when the issue was these other communication methods — now prosecutors have come to expect that that’s where the juiciest evidence is. They’re now thinking, what are we going to do with this rapidly changing technological environment?”
Personal communications misuse is perennial problem in bribery and corruption cases as well as fraud. Recently, U.S. federal prosecutors’ superseding indictment of Sam Bankman-Fried said the former FTX chief executive “required his co-conspirators and others who worked for him to communicate using encrypted and ephemeral messaging platforms that self-deleted, thereby preventing regulators and law enforcement from later obtaining a record of his misdeeds.”
Deputy AG Monaco also highlighted personal communications and messaging risk extensively in her 2022 memorandum and in the DOJ’s terrorist financing plea agreement with international cement-making company Lafarge.
Monaco instructed the DOJ’s Criminal Division to study best corporate practices for the use of personal devices and messaging platforms, to be included in the next edition of the agency’s Evaluation of Corporate Compliance Programs. The DOJ will refine its policies to incentivize best practices and to disincentivize conduct that it views unfavorably. Companies should prepare for the forthcoming guidance now by seeking to understand how employees are using personal devices and messaging platforms.
Corporations have a hard time reviewing employees’ telephones — even company-issued employee telephones — in certain jurisdictions, because of the possibility there may be personal information on the device, Sharfstein explains. “It is a balance that our government needs to think through as well as our clients when coming up with policies and procedures that will protect company records, but not intrude on personal matters.”
What’s clear is that, even now, the DOJ, the SEC and other regulatory authorities expect that companies should have clear policies and procedures that instruct employees where they can conduct company matters and company business. From the perspective of corporations, they see themselves as expected to enforce that policy, give clear training on that, and act in a responsible manner.
“It’s a timeless issue that misconduct occurs sometimes in ways in which companies don’t have visibility,” Sharfstein adds. “Companies would be wise to give clear guidance so [that], when there is scrutiny, they’re able to defend the instructions that they gave to their employees.”
Managing misconduct risk related to personal communications and messaging platforms will require companies to develop strong policies that include a personal accountability element for the employees.
Yet, Christian Hunt, founder of Human Risk, a consultancy in Munich, says that may be a difficult task for some companies. “It is unreasonable and unrealistic to expect firms to manage this risk on their own,” Hunt explains. “They should be required to do everything they can to deter and prevent it — I’m not letting them off the hook. But we also need to recognize that these are channels that people commonly use for private conversations — and remember many bankers are encouraged and incentivized to build personal relationships with their clients — so we’re talking about a grey area that’s not as simple as delineating work and non-work. So, I’d favor also holding employees personally responsible for their actions — an accountability regime if you like.”
A successful compliance program all comes down to corporate culture, Monaco noted in a September 2022 speech. Intentional bad actors seeking to avoid scrutiny will use communication outside employers’ systems. It is another timeless issue that poses a challenge for employers when making and enforcing communications compliance policy.
“Resourcing a compliance department is not enough,” she explained. “It must also be backed by, and integrated into, a corporate culture that rejects wrongdoing for the sake of profit, and companies can foster that culture through their leadership and the choices they make.” For example, she added, an increasing number of companies have promoted that culture by choosing to reflect corporate values in their compensation systems by employing clawback provisions, the escrowing of compensation, and other ways to hold financially accountable individuals who contribute to criminal misconduct as deterrents.
“Compensation systems that clearly and effectively impose financial penalties for misconduct can deter risky behavior and foster a culture of compliance,” Monaco said.