‘Messaging Risk’ for Everyone Else

By Matt Kelly | August 18, 2023 |

After my last post about financial services firms getting socked by regulators for employees’ use of improper messaging apps, a compliance officer in the manufacturing sector messaged me (improperly, of course) and declared, “The first time they sanction a non-financial company for this stuff, compliance officers will be panicking in the streets.” 

I agree with that statement in theory. In practice, however, compliance officers need to ask: Are we making a mountain out of a molehill here? 

That question is a quiet undercurrent I’ve heard from several compliance officers lately. Nobody is saying that non-financial companies can rest easy (and I’d be the first to say no, you shouldn’t), but we should pause to understand precisely what the legal and compliance risks are for non-financial companies. Only then can compliance officers craft a set of policies and procedures that are reasonable and sensible for the risk at hand.

First let’s look at the companies already sanctioned by the Securities and Exchange Commission and the Justice Department for improper messaging. They’re all broker-dealer firms or the broker-dealer subsidiaries within larger financial holding companies. 

Those firms must comply with SEC Rules 17a-4(b)(4) and 17a-4(j), which specify that broker-dealers must preserve “all communications and copies of all communications sent … relating to its business as such” for periods ranging from two to six years. 

That’s been the legal basis for all these messaging enforcement actions, and it’s solid footing for action against broker-dealers. They were supposed to maintain complete records, and they didn’t, and that alone is a compliance violation. 

So what about the vast majority of businesses that aren’t broker-dealers, where Rule 17a-4(b)(4) doesn’t apply? What are their duties for proper recordkeeping? 

Books and Records?

My first thought was to look up the books and records provisions of the Foreign Corrupt Practices Act. Wouldn’t the “records” part of books and records cover business communications? 

Not necessarily. The books-and-records provisions of the FCPA generally require companies to maintain accurate accounting records. For example, Section 13(b) of the Securities Exchange Act says that public companies “shall make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.”

The relevant SEC rules also specify that “no person shall directly or indirectly, falsify or cause to be falsified, any book, record or account subject.”

messagingOK, but let’s be clear that the above provisions forbid executives (and by extension, employees) from falsifying business records. So if employees are using Snap, WhatsApp, or other messaging apps that don’t preserve a record of those communications, but the employees are not using those apps to foist some deception on investors — is that really a compliance violation? 

For example, if several employees use off-channel messaging apps to perpetrate a bribery scheme or to cover up forced-labor abuses in their supply chain, then they are causing books and records to be falsified; the company is declaring to investors that everything is peachy, but the records used to make that assertion are false. So the SEC and Justice Department might nail said company for employees’ use of improper messaging apps, but only as part of a larger enforcement action for committing a crime. 

We’ve seen this numerous times in FCPA land: corrupt employees and overseas agents using secret spreadsheets and Gmail addresses to track their bribery payments, while offering false records to the bean-counters back at headquarters. Stericycle’s enforcement action in 2022 is one such example; there are many more. 

This is the distinction about messaging apps that we need to keep in mind. For broker-dealers, the mere failure to maintain complete and accurate records is enough for a compliance violation under federal securities law. For non-financial companies, using ephemeral messaging apps isn’t a compliance violation unless employees are using those apps to commit some other violation. 

So Why Are We Obsessing Over This?

That’s easy. We’re obsessing over this because if your management team doesn’t try to address unauthorized messaging apps, that will look awful when some other violation does happen. 

Think about it: your company suffers some compliance violations like an FCPA issue or an antitrust conspiracy; and employees were conspiring to do this on unauthorized messaging apps, so the company can’t conduct a swift internal investigation; and management knew employees were chatting on unauthorized messaging apps but never bothered to enforce a policy against that. 

That is a terrible look for a company. It paints the picture of a management team not interested in good ethical conduct, and we all know how that goes over with the Justice Department when evaluating the state of your compliance program. 

Hence the Justice Department included material about messaging apps and communications in its latest update to guidance on effective corporate compliance programs. That’s exactly the right place for discussion of messaging apps, too. After all, companies don’t need to follow the guidance. It’s not illegal to do so. It’s just a really dumb idea. 

The same can be said for ignoring employee use of messaging apps. For most companies that won’t be a legal violation unto itself — but it’s a really dumb idea, which will make the compliance violations you do have that much more painful.

And that’s why messaging apps are a big compliance concern, for broker-dealers and everyone else too. 

Posted in General and tagged

Leave a Comment

You must be logged in to post a comment.