A Double Whammy of Accountability

Holy cow! The compliance world had two big stories break within the last 24 hours: one about a Wall Street bank trying to hold employees accountable for good behavior, the other about the legal risks for corporate executives who don’t.

We can start with the Wall Street bank, because everyone loves to pick apart what those guys do. Apparently the bank in question, Morgan Stanley, has started fining employees as much as $1 million for using WhatsApp and other unauthorized messaging apps to conduct company business. 

Using such apps — known as “ephemeral messaging services” because the messages disappear after a period of time — is now a big no-no in the banking world, because they violate the records retention rules that financial services firms are supposed to obey. JPMorgan paid $200 million to settle such charges in 2021, and another 16 Wall Street firms paid a total of $1.1 billion last year for similar offenses. Morgan Stanley was in that group.

Now, according to the Financial Times and other media outlets, Morgan Stanley has implemented a disciplinary system that fines employees for such offenses. The bank uses a points system to calculate penalty amounts, based on factors such as the banker’s seniority, number of messages sent, and whether the offending employee had received previous warnings. 

The fines have ranged from several thousand dollars to more than $1 million. Smaller amounts are docked from employees’ pay; larger amounts are clawed back from previously awarded bonuses. (Morgan Stanley had also parted ways with several senior executives in 2020 for similar misconduct, well before regulators made ephemeral messaging apps an enforcement priority.)

Morgan Stanley also now provides training to employees to avoid these predicaments, the FT said. That training includes scenarios and examples of when personal chit-chat turns to professional matters, which should prompt employees to turn to bank-approved messaging apps.

Compliance officers outside the banking sector should pay attention here because the Justice Department has talked numerous times lately about all companies’ duty to preserve evidence in criminal investigations, and how employee use of ephemeral messaging apps threatens that duty. Supposedly the Criminal Division is developing guidance on how companies might navigate this issue. For now, Morgan Stanley is one example of how you might approach the problem.

Liability for Failures of Accountability

We also have a groundbreaking ruling from the Delaware Chancery Court on Wednesday, extending the duty of oversight that corporate board directors must exercise to corporate executives as well — and exposing those executives to liability in shareholder lawsuits if they fail at that duty.

The case, In Re McDonalds Corp., involves shareholders suing David Fairhurst, who served as global chief people officer at McDonalds in the late 2010s. The plaintiffs say Fairhurst and his then-boss, Stephen Easterbrook, allowed a culture of sexual harassment at McDonalds during their tenure.

If Easterbrook’s name rings a bell, that’s because he just settled civil charges with the Securities and Exchange Commission, that he misled McDonalds’ board (and therefore deceived investors) when he lied about having numerous affairs with subordinates while Easterbrook was CEO. Easterbrook paid $400,000 to settle the SEC charges, and had previously paid McDonalds $105 million to settle a civil lawsuit over his behavior.

Now it is Fairhurst’s turn in the fryolator. Shareholders had sued him, alleging that he ignored warning signs of McDonalds’ toxic culture and therefore breached his duty to the company and investors. Delaware Chancery Court judge Travis Laster ruled in the shareholders’ favor, and expressly said: “This decision clarifies that corporate officers owe a duty of oversight. The same policies that … recognize the duty of oversight for directors apply equally, if not to a greater degree, to officers.”

Moreover, the judge said… 

[Fairhurst] had an obligation to make a good faith effort to put in place reasonable information systems so that he obtained the information necessary to do his job and report to the CEO and the board, and he could not consciously ignore red flags indicating that the corporation was going to suffer harm. 

This ruling could have super-sized implications for high-level corporate executives, including chief compliance officers. Laster essentially is saying that corporate officers must try to implement systems that let them know what is going on within their area of responsibility. If the executives don’t take that effort seriously, or ignore the information that those systems produce — blammo, you could be on the receiving end of a shareholder lawsuit.

To be clear, Laster is only saying that you must make a good faith effort to build a system that lets you know the state of compliance at your business (or, say, the state of financial reporting if you’re the CFO, or the state of enterprise risk if you’re a chief risk officer, and so forth). You might make that good faith effort, and the program still fails to detect something. This ruling doesn’t mean that you now need to hire an attorney.

Then again, what if the board and senior executives don’t give you the resources necessary to build those information systems? If the company later suffers an incident, could that end up pitting the board against officers, as each side tries to say the other was at fault? (“You didn’t report to us the information we needed!” “No, you didn’t give me the resources to collect that information!”) 

In fact, let’s string this ruling and Morgan Stanley’s messaging story together. If Morgan Stanley’s compliance team didn’t put together a collection of policies, procedures, and punishments for employees using ephemeral messaging, would those compliance leaders now be liable for future failures? What about the line-of-business managers who are supposed to be in charge of these bankers gabbing on WhatsApp and Snapchat? What counts as a thorough “information system” for something like this, anyway?

Basically, we have a messy new front in Delaware corporate law. This ruling will need much more thought, but for now, corporate officers should consider themselves put on notice.