Deputy Attorney General (DAG) Lisa Monaco’s September 15, 2022, memorandum on revisions to the Department of Justice’s (DOJ) Corporate Enforcement Policies (the Monaco Memo) reflects that preservation of business communications is a significant factor in DOJ’s evaluation of corporate compliance programs and resolutions of criminal liability. The modern workforce increasingly relies on personal devices and third-party messaging platforms for business communications, and companies must develop and implement comprehensive policies and procedures that address where such communications are stored and ensure that they can be accessed and preserved appropriately.
- DOJ expects companies to implement effective measures to preserve all business-related communications, regardless of the medium on which those communications take place.
- Corporate compliance programs that do not provide a means to retain and access business communications on personal devices and third-party messaging applications could result in a loss of cooperation credit and increased criminal penalties.
- There is no one-size-fits-all approach. A compliance solution should be practical, meet applicable regulatory requirements, address the realities of employee communications, and reflect effective implementation and enforcement.
Background on DOJ and Regulators’ Policies and Pronouncements
Recent DOJ enforcement actions and policy speeches by DOJ leadership demonstrate DOJ’s concern that some corporate employees are using personal devices and third-party messaging applications to commit crimes. Such communications are often outside company control, making it difficult to prevent and detect misconduct. DOJ’s inclusion of a section on the use of personal devices and third-party applications in the Monaco Memo reflects that DOJ intends to scrutinize whether companies have ensured that data from personal devices and messaging platforms is preserved for compliance and investigations.
To evaluate a compliance program as part of a potential corporate criminal resolution, DOJ prosecutors are directed by the Monaco Memo to consider whether the company “has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.” DOJ considers whether the company has three fundamental elements: (1) “effective policies,” (2) “clear training to employees about such policies,” and (3) enforcement when policy violations are identified. The Monaco Memo further provides that, for a company to receive cooperation credit, policies should “ensure that [a company] will be able to collect and provide to the government all non-privileged responsive documents relevant to [an] investigation, including work-related communications (e.g., texts, e-messages, or chats), and data contained on phones, tablets, or other devices.” It also directs DOJ’s Criminal Division to “further study best corporate practices” and “incorporate the product of that effort into the next addition of its Evaluation of Corporate Compliance Programs.”
DOJ’s concern about corporate retention of business communications on personal devices and applications is not a new phenomenon. In November 2017, DOJ issued its Foreign Corrupt Practices Act (FCPA) corporate enforcement policy, which initially required companies to “prohibit employees from using software that generates but does not appropriately retain business records or communications” in order to receive full cooperation credit. In May 2018, the Chief of DOJ’s FCPA Unit informed companies not to “expect full cooperation [credit] if there are no records of the misconduct.” Following concern from the business and legal communities that the prohibition was unworkable, DOJ softened its stance in March 2019, revising the FCPA corporate enforcement policy to require that companies “implement appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.” The Monaco Memo expands on this more measured and nuanced approach.
The Monaco Memo’s focus on preserving business communications follows similar pronouncements from federal regulators. The Securities and Exchange Commission (SEC) has explicitly stated that it will ask courts for adverse inferences or other relief against a company under investigation that failed to preserve evidence. The Commodity Futures Trading Commission (CFTC) likewise recently delivered “a zero-tolerance message” that CFTC would not allow financial institutions to undermine its enforcement efforts by obfuscating or deleting communications relating to trading activity.
Failure to implement sufficient policies and protocols could result in significant penalties. In September 2022, the SEC announced $1.1 billion in fines against 16 financial institutions to resolve investigations over employees’ use of third-party messaging applications to conduct business, in violation of SEC Rule 17a-4(b)(4), which requires preservation of written communications. The CFTC also announced settlements for related conduct that violated provisions of the Commodity Exchange Act. In such settlements, the CFTC found that those firms failed to supervise and stop employees from using off-channel business communications notwithstanding preservation requirements. Although these resolutions were based on specific preservation requirements for regulated entities, they nevertheless reflect enforcement agency concerns that companies are not appropriately addressing new technologies that allow employees to communicate outside of the corporate environment.
Compliance Best Practices to Consider
As noted above, the Monaco Memo requires that companies implement policies governing personal devices and third-party messaging platforms for corporate communications, provide training to employees about such policies, and enforce the policies when violations are identified. The Monaco Memo also requires that companies seeking cooperation credit to implement policies that allow them to collect and produce to the government work-related communications and other data contained on phones, tablets, or other devices that are used by employees for business purposes.
In view of the Monaco Memo, companies should revisit their personal device and messaging application policies and make necessary adjustments, including considering how to monitor employee compliance. To do so, companies should consider taking the following actions: (1) conduct a risk assessment, (2) consider enhancing policies and procedures in a manner that complies with regulatory requirements and reflects the realities of how employees communicate, (3) implement effective employee training, and (4) establish sufficient monitoring and enforcement.
1. Risk Assessment
To evaluate whether revisions to policies and procedures are warranted, companies should begin by conducting a risk assessment. The risk assessment should be designed to (1) evaluate how employees actually communicate in the course of their work, including whether employees are using ephemeral messaging platforms; (2) assess whether existing policies and procedures are responsive to the ways in which employees communicate; (3) identify any control gaps that must be addressed so that business data is preserved and can be collected; and (4) assess whether technological fixes are available to ensure retention of business communications (e.g., adopting enterprise versions of popular third-party messaging platforms, implementing tech solutions that give companies access to business interactions on a range of mobile messaging applications, or turning off auto-delete functionality).
An updated risk assessment is particularly important given the increased use of personal devices and messaging applications since the onset of the COVID-19 pandemic and the evolving communication patterns of employees in hybrid workplaces.
2. Update and Enhance Policies and Procedures
Based upon a risk assessment, companies should consider updating and enhancing their policies and procedures to meet applicable regulatory requirements and the realities of how employees communicate. There is no one-size-fits-all solution, and a company’s compliance program should be tailored to its business practices and applicable regulatory requirements. Companies should consider their ability to access employee personal devices, including via mobile device management (MDM) solutions, and reevaluate “bring your own device” (BYOD) policies to ensure effective compliance. As discussed above, they must also consider ephemeral messaging applications that may complicate an organization’s ability to preserve communications.
a. Access to Personal Devices and Mobile Device Management
Companies, such as financial institutions, that are subject to strict preservation requirements by regulators may decide to prohibit all business communications on personal devices and third-party messaging platforms. But even companies that impose such prohibitions cannot ignore that employees may not abide by such prohibitions and that it may not be realistic to eliminate all business communications on personal devices and messaging applications. Instead, it is a better practice, as suggested in the Monaco Memo, to take appropriate and practical steps to access, monitor, and collect off-channel business communications. To do so, companies may wish to consider taking the following actions:
- requiring employees to grant written consent to the company to access business communications on personal devices as a condition of employment, subject to applicable privacy laws;
- implementing MDM solutions for personal devices, including installing a management suite or “sandbox” on personal devices that delineates where business-related communications reside and allows an employer to monitor and collect such communications; and
- implementing enterprise versions of popular messaging applications to allow an employer to preserve, access, and control business communications on those applications.
b. BYOD Policies
BYOD policies that permit employees to use their personal devices for work should be reevaluated and enhanced to meet DOJ’s and regulators’ expectations. For example, companies should impose data retention requirements; specify which data the company may access, monitor, and retain; and provide a means to ensure employer access and retention. Companies should be thoughtful about the contours of BYOD policies and consider whether a BYOD policy may not be appropriate for certain categories of executives and other employees whose communications could draw regulatory scrutiny. As part of a BYOD policy, a company may decide to mandate, as a condition of using personal devices for work, that employees consent to the company’s collection of business-related data from those devices, subject to applicable privacy laws.
Under the Monaco Memo, companies must train employees on the contours of corporate policies and procedures and regulatory requirements and instruct them on how to preserve business-related communications. Companies should generally train employees when they are onboarded and develop a risk-based approach to refresher training. Companies should also keep meticulous training records, which can be of particular importance when discussing the sufficiency of the corporate compliance efforts with DOJ and other agencies.
4. Monitoring and Enforcement
The Monaco Memo states that companies should enforce violations of personal device and third‑party messaging application policies when detected, but it does not explain how companies should detect such violations. DOJ’s position likely reflects its acknowledgment that companies’ approaches will vary based upon their business practices. For example, a company that does business in countries where third-party messaging applications are ubiquitous faces greater risk than a non-regulated company that does business in countries where the business community has not yet adopted such applications. In any event, although the Monaco Memo does not expressly discuss monitoring, companies should explore ways to monitor or audit off-channel communications and potential data loss to ensure effective enforcement, including by conducting “spot” audits of employees.
If a violation is detected, companies should take appropriate remedial steps, including employee discipline or more systemic responses such as those discussed above.
The Monaco Memo encourages companies to take a proactive approach to ensuring that personal devices and third-party applications are not used for inappropriate communications and that company data generated on such platforms is preserved for appropriate uses, including for compliance and investigations. The touchstone for companies is to devise and implement a practical, good-faith program designed to reduce risk and ensure compliance.