Compliance officers have a lot to ponder in the Justice Department’s recent updates to its guidance for corporate compliance programs. The most demanding issue, however, might be how the department wants companies to handle employees’ use of messaging apps. It’s going to be quite the challenge.
Clearly messaging apps are a priority for the Justice Department and other regulators; just look at the recent enforcement actions against Wall Street banks for their abuse of messaging apps. The monetary fines against the banks were significant, and each offending bank had to hire an “independent compliance consultant” (read: compliance monitor) to review the policies, procedures, training, and technology the bank uses to govern employee use of messaging apps.
Now the Justice Department has incorporated its expectations for messaging apps into its guidelines for effective compliance programs. So what’s the best, wisest response that companies (and compliance officers) can offer to that?
First, we can’t fault regulators for wanting companies to crack down on improper messaging apps. At best, Snapchat, Whatsapp, and the rest of their ilk allow employees to engage in sloppy recordkeeping practices that violate regulatory obligations; that alone undermines corporate culture and ethical rigor. At worst, the apps help employees to engage in fraud, embezzlement, and other criminal activity.
So of course regulators detest the risk that improper messaging apps pose. The plain truth, however, is that eradicating this risk is impossible. You can reduce the risk through various means, but not erase it completely. There is no way to prevent a determined employee from buying a cheap device, installing an anonymous messaging account, and using it illicitly.
The real issue for companies is how they can reduce their own liability risk when those messaging violations inevitably happen. Which brings us back to the Justice Department’s guidance for compliance programs and messaging apps.
Policies, Procedures, and Consistency
The good news is that the Justice Department recognizes the reality about messaging apps. You can see that on Page 17 of its guidance about compliance programs, in a paragraph introducing the subject of messaging apps:
Policies governing such applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company. Prosecutors should consider how the policies and procedures have been communicated to employees, and whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.
The message here isn’t that the Justice Department wants to see 100 percent success and compliance. The message is that the department wants to see a thoughtful approach to the risk of improper messaging apps, guided by policies and enforced consistently.
The rest of the guidance on messaging apps simply drives home that point. Some of the questions touch on recordkeeping technology (“What preservation or deletion settings are available to each employee under each communication channel?”), but most of the material talks about policies for how employees should use technology and how discipline is enforced for violations.
Compliance officers will need to sift through several broad questions and competing interests to figure out the best solution for your own business. For example:
- What is technically possible? That is, what messaging apps would make sense for your business to use, and how would you control their settings to meet your recordkeeping obligations?
- What is practically possible, given your employees and business model? Some policies might seem like brilliant ways to reduce compliance risk, but they won’t fit how your employees work.
- How much do you want to trust your employees? The better your overall control environment and ethical culture, the less invasive and draconian your policies and monitoring need to be.
That third question is where the success of all these efforts lives and dies. Extreme policies about messaging — no personal devices allowed at work; constant monitoring of all communications — might seem impressive, but they can also drive employee communications underground and alienate your workforce. That does nobody any good.
The challenge here is really about winning over employees to the ethical cause of using company-approved messaging channels, so you can meet your recordkeeping obligations. It’s about persuasion and reasonableness as much as it’s about enforcement.
Winning the Messaging War
One recent example that strikes me as smart is Morgan Stanley, one of the banks sanctioned in last year’s Justice Department sweep. According to an article in the Financial Times earlier this year, Morgan Stanley has since implemented numerous reforms. Some are meant to show employees the approved way of using messaging apps; others are disciplinary measures punishing those who violate the messaging policy anyway.
Specifically, Morgan Stanley:
- Trains employees on scenarios when they should shift conversations on their personal devices onto bank-approved messaging apps;
- Explains that even conversations that seem harmless might lead to compliance risk, since the conversation might wander into business-related subjects;
- Has parted ways with several senior employees who had violated previous policies about unauthorized messaging apps;
- Implemented a disciplinary scheme where the back can withhold or claw back bonus pay for people who violate the policy. Those penalties apparently work on a sliding scale depending on the seniority of the employee and any past history of violations; the worst penalties have topped $1 million.
There’s lots to like in that approach. First, it combines policy, training, and disciplinary enforcement in a coherent way. Second, it respects the reality of how people work: they use personal devices and perhaps even non-work messaging apps. An employer can’t stop that without terribly invasive methods (that might well violate privacy laws or union contracts), but an employer can demonstrate the circumstances where continued use of unapproved messaging could lead to compliance violations. Third, it enforces discipline by hitting employees in the pocketbook, and in the worst cases by showing them the door.
That’s a comprehensive approach to the headache of messaging apps, which is exactly what the Justice Department wants to see.
Of course, the proof remains in the pudding; an employer needs to implement all those policies and procedures uniformly and consistently. So the compliance team itself needs to maintain diligent records of who committed what violations, what sanctions those people did or didn’t receive, and why.
Coincidentally, all that is exactly what JPMorgan’s independent compliance consultant had to review as part of JPMorgan’s messaging settlement announced back in 2021. So if you want to understand your own documentation needs, or what you might want to include in scope for an internal audit to assess your approach to messaging apps, reviewing that settlement would be a good place to start.
If you have any thoughts about all this, of course I’m eager to hear them. My preferred unauthorized app is Signal.