Text messaging is convenient. It is an informal and instant mode of communication now available through numerous apps, which allow an individual to use their synced phone, tablet, and computer to quickly fire off messages. It’s no wonder that text messaging has extended beyond the realm of friends and family, taking hold in our daily business communications.
However, intra-company text messages and other off-channel business communications have drawn scrutiny from the federal government because they undermine a company’s ability to maintain effective recordkeeping.
For some companies, that recordkeeping is a regulatory requirement. On September 27, 2022, the U.S. Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) announced that they had entered into settlements with various financial institutions for violations of recordkeeping requirements in the use of electronic communications. Through the SEC’s consent orders, 15 broker-dealers and one affiliated investment adviser admitted to having violated certain recordkeeping provisions of the Securities Exchange Act of 1934. Separately, 11 financial institutions with CFTC-registered businesses settled charges that they had failed to maintain, preserve, or produce records governed by CFTC recordkeeping requirements, and had failed to diligently supervise matters related to their businesses as CFTC registrants. The combined penalties for the involved entities total more than $1.8 billion. In addition to being hit with fines, each firm agreed to retain compliance consultants, who will conduct comprehensive reviews of their policies and procedures relating to the retention of electronic communications on personal devices.
These settlements may be part of a broader and ongoing regulatory crackdown against off-channel communications at financial institutions. For example, this summer HSBC told investors that it was facing scrutiny from U.S. regulators over the use of “unapproved electronic messaging platforms for business communications,” yet it was not among the firms in this round of settlements. The SEC noted its own investigation into this issue is ongoing.
For companies that are not subject to securities or commodities laws or regulations, off-channel communications nevertheless present a compliance problem. Take, for example, FCPA enforcement. In 2017, the U.S. Department of Justice (DOJ) issued its FCPA Corporate Enforcement Policy, setting forth the DOJ’s approach to the investigation, prosecution, and resolution of Foreign Corrupt Practices Act violations. The policy provided that a company could not receive full credit for remediation of a potential FCPA violation without demonstrating that it “prohibit[ed] employees from using software that generates but does not appropriately retain business records or communications.” This guidance led to uncertainty among companies about whether to prohibit messaging apps like WhatsApp or apps with ephemeral (disappearing) messages like SnapChat, or to purchase company versions of such apps to ensure that business communications would be stored appropriately and could be accessed by the company.
In 2019, the DOJ updated its FCPA policy, clarifying that companies do not have to prohibit employees from using these messaging apps but must at least “implement appropriate guidance and controls” regarding the use of these apps, which undermine the company’s recordkeeping capabilities. This policy shift freed companies from having to impose blanket prohibitions on messaging apps but required them to make difficult decisions about what kind of guidance and controls would be considered “appropriate” by a potential DOJ investigator, based on the particular circumstances of the business or the type of communication at issue.
Last month the DOJ released additional guidance regarding off-channel business communications. On September 15, 2022, Deputy Attorney General Lisa Monaco issued a memorandum revising the DOJ’s corporate criminal enforcement policies. The memorandum sets forth, among other things, factors that the DOJ considers in assessing corporate accountability for misconduct. One of those factors is the strength of a company’s compliance program—a stronger program can sweeten the terms of a settlement agreement. And, according to the memorandum, one of the elements that the DOJ will review in assessing a company’s compliance program is how the company regulates its employees’ use of third-party messaging apps.
Prosecutors will look for evidence of effective policies and procedures regarding the use of personal devices and messaging apps. To provide prosecutors with clearer guidance, Deputy Attorney General Monaco has tasked the Criminal Division to “further study best corporate practices regarding use of personal devices and third-party messaging platforms and incorporate the product of that effort into the next edition of its Evaluation of Corporate Compliance Programs, so that the Department can address these issues thoughtfully and consistently.” In the meantime, corporations wishing to demonstrate that they have a strong compliance program need “effective policies governing the use of personal devices and third-party messaging platforms for corporate communications[,]” as well as “clear training to employees about such policies” and enforcement of those policies. Ultimately, to obtain cooperation credit, preservation is paramount: prosecutors will consider whether a company “has instituted policies to ensure that it will be able to collect and provide to the government all non-privileged responsive documents relevant to the investigation, including work-related communications (e.g. , texts, e-messages, or chats), and data contained on phones, tablets, or other devices that are used by its employees for business purposes.”
The bottom line is that intra-company text messaging may present a compliance issue. Even if the communications within your company are not subject to specific recordkeeping rules, you should carefully consider what sort of guidelines and training are necessary to ensure that the company maintains a proper level of recordkeeping.