U.S. DOJ tells firms “do not wait for us to call you” in compliance for personal communication
The Department of Justice has alluded to new rules around the use of personal communication devices, and points to senior manager involvement as an aggravating factor for non-compliance.
– The DOJ is exploring new rules and guidance surrounding compliance for personal communication and third-party messaging
– In a speech, the DOJ’s Acting Principal Deputy Assistant Attorney General has said that these communication channels are making it difficult for firms to show they have a “well-functioning compliance program”
– The DOJ wants to see proactive compliance with a clear message, “do not wait for us to call you”
– The involvement of senior management within non-compliant communications is increasingly challenging and will be considered an “aggravating factor” where misconduct occurs
First the U.S. Securities and Exchange Division (SEC) came for JP Morgan, and they did not comply. Then FINRA came for investment banks, and they did not comply. Now, the Department of Justice (DOJ) is considering revising guidance for communication channels, and they expect you to comply.
Speaking at the 39th International Conference on the Foreign Corrupt Practices Act, Acting Principal Deputy Assistant Attorney General, Nicole Argentieri, has alluded to new guidance from the DOJ regarding companies’ record-keeping obligations for employees’ use of personal devices and apps, including WhatsApp, WeChat and Signal. The DOJ is the latest regulator to weigh in on more stringent oversight of communication channels, following enforcement action across the U.S. and beyond.
Additional guidance in compliance for personal communications and third-party messaging
The use of instant and ephemeral messaging apps has become mainstream in everyday communications, but continues to cause challenges for compliance teams – not least when they are used to conduct business activities. Of course, there are often legitimate reasons for the use of these apps in a business setting – this is something that the DOJ recognizes. Benefits can include reliability and enhanced security through end-to-end encryption. However, as with all technology, the communication channels also present myriad risks.
In particular, ephemeral and encrypted messages make it difficult for organizations to “ensure they have a well-functioning program” around compliance for personal communication, not least because they aren’t able to access these communications when necessary.
When apps such as WhatsApp are used in a compliant way they can boost businesses’ offering and allow for effective, fast communication. However, where they are misused – for instance where employees continued to use apps that have been banned – businesses stand to suffer both monetary and reputational costs.
With that in mind, and in keeping with broader regulatory messaging, the Criminal Division of the DOJ is “examining whether additional guidance is necessary about the use of personal devices and third-party messaging applications”.
What are the current guidelines around compliance for personal communications?
Under the current rules, the DOJ asks that firms implement “appropriate guidance and controls” for the use of personal communications and ephemeral messaging platforms – in particular for those that “undermine the company’s ability to appropriately retain business records”. As well as this, the DOJ expects firms to carry out the “appropriate retention of business records” and to prohibit” the improper destruction or deletion” of these records.
While this guidance is far-reaching, given the pace of change and emergent risk of communication technology, the guidance may need to be expanded or made more prescriptive to adequately clarify expectations of compliance for personal communication.
The unequivocal need for regulatory clarity and transparency
While revised guidance around compliance for personal communication may be necessary, the DOJ appears to understand that guidance without transparency and clarity is of little practical use. As such, the DOJ has said it will be “clear and predictable” about expectations and policies.
With that in mind, the DoJ is putting firms on notice that renewed policies and guidance surrounding the use of third-party messaging applications is on the horizon. Given the strength of messaging from U.S. regulators such as FINRA and the SEC, it is likely that any renewed obligations around business communications will be stringent. Firms who do not currently have robust systems, policies and procedures in place would be prudent to reconsider their approach sooner, rather than later.
“Don’t wait for us to call you”
Remaining on the theme of proactive compliance for personal communication, Nicole Argentieri used her speech as a platform in which to encourage voluntary self-disclosure (VSD) and applaud renewed incentives that incentivize this action. She did not mince her words:
“The message here is clear. Do not wait for us to call you. By then, it’s too late.”
She added that “the clearest path for a company – even a recidivist – to avoid a guilty plea or an indictment is voluntary self-disclosure”.
Argentieri’s comments reflect similar comments from SEC Chair, Gary Gensler, who has said that if a firm messes up “come in and talk to [the SEC], cooperate with out investigation, and remediate your conduct”. The dial is shifting towards a transparent landscape in which both regulators and the regulated are encouraged to be open about their work, and where things go awry. Regulators are looking to see proactivity rather than the burying of heads in the sand.
Much like Gensler, Argentieri notes that even where a firm has a history of misconduct, this will “not mean a guilty plea for a company that self-discloses, cooperates, and remediates” unless other aggravating factors are present.
Executive management involvement will not be tolerated
In considering what would constitute an “aggravating factor” for misconduct, Argentieri looks specifically to a topic of increasing global concern – senior manager involvement. In the event that there has been the “involvement by executive management in the misconduct”, this will be seen as an aggravating factor and could veto the benefits of VSD.
The effect of senior manager involvement within the realm of non-compliance for personal communication is becoming a sticky issue for the compliance team who, despite robust messaging, continue to see senior managers acting in a non-compliant way – for example using personal devices or unauthorized communication for personal messaging. How can the compliance team get senior leadership buy-in? Increasing enforcements around increased personal accountability may gradually move the dial…in this instance the approach seems to be more stick than carrot.
If you’re worried about increasing individual accountability for compliance and looking for a solution, get in touch.