On September 27, 2022, the United States Securities and Exchange Commission (SEC) announced settlements against 11 major financial institutions, resolving an industry sweep in employees improperly using personal messaging apps to conduct business . This practice, commonly referred to as “out-of-channel communication,” occurs when employees engage in work-related communications on their personal devices or on unapproved third-party apps like WhatsApp or WeChat. While the financial industry, unlike other industries, is required by law to retain copies of all business communications to or from employees, out-of-channel communications are pervasive across industries. To that end, the U.S. Department of Justice (DOJ) is preparing guidance for businesses on this issue, and we expect it to take a strong stance in recommending robust, transparent, and meaningful compliance solutions for businesses to this issue.
Although the SEC brought these lawsuits against banks, the DOJ guidelines will apply to all companies under investigation in any industry, not just companies in the financial services industry. So whether or not it’s a problem your business has faced before, out-of-channel communication is a growing problem.
What are out-of-channel communications?
In today’s high-tech environment, monitoring employee data is a huge burden. From employee privacy issues to the realities of storing massive amounts of data, companies constantly face new challenges on how best to retain critical business information. Then add the issue of employees using unapproved forms of communication to conduct business.
Many employers are unaware that their employees are using out-of-channel communication and have no policies covering their use or how conversations are retained. So when faced with an investigation or litigation, employers cannot retrieve, produce or use this critical evidence.
These unapproved forms of communication can take many forms and are rarely used with malicious intent. In reality, many employees simply find it easier to communicate via WhatsApp than on their work phone or company-approved app. Other times, customers may initiate communication on a new platform, and the employee tries to deliver exceptional customer service using the customer’s preferred method of communication.
Managers and executives, who often use these unofficial communication channels themselves, should develop policies and procedures to ensure they retain these communications, because the only other option, prohibiting their use, is an option. increasingly unrealistic. These issues formed the very basis of the SEC’s investigation and recent settlements with the banks.
Financial sector regulations
After a multi-year investigation, the SEC concluded that employees of 11 major banks used off-channel communications to conduct business. The issue occurred “at all seniority levels” and the number of unsuccessful messages sent, per bank, was in the tens of thousands. These communications were both internal and external and often contained crucial business information, including analysis, market trends, market color, and discussions involving brokers and investment advisers.
In the settlements, the banks collectively paid fines of nearly $2 billion and were required to hire compliance consultants, change their policies and procedures, and work with the SEC to resolve the issues. Of the 11 cases, the SEC orders only discussed the remediation efforts of two banks. Each of these banks has taken the following measures:
- provide training focused on good communication techniques;
- ensure that senior managers send clear messages to employees about the use of unauthorized communication channels;
- improve monitoring protocols to identify and investigate potential out-of-channel communications;
- communicate monitoring results to supervisors;
- penalize employees for out-of-channel communication;
- investing in new technologies to facilitate compliant communication with employees; and
- conduct internal investigations and, if necessary, collect data from employees’ personal devices.
Managing off-channel communications in your business
Every industry faces similar risks when it comes to “out-of-channel” communications, and government investigators are stepping up their scrutiny of companies’ attempts to remedy the problem. For example, in its Business Enforcement Policy, which covers Foreign Corrupt Practices Act investigations and has been applied to other types of cases, the DOJ specifically denounces “ephemeral messaging platforms that compromise the company’s ability to properly preserve business records or communications”. And last month, Deputy Attorney General Lisa Monaco announced new direction on the Department of Justice’s criminal law enforcement efforts. Mirroring what led the SEC to its investigation into the banking industry, the guidance specifically focused on the use of personal devices and third-party apps and how they impede companies’ ability to monitor communications to detect faults and recover them during an investigation. Although the DOJ did not promulgate any new guidelines in this memo, Monaco’s Deputy AG has instructed the criminal division to develop best practices so that in the near future it can announce a formal policy on the matter. The absence of new rules does not mean that you can wait to fix this problem. As evidenced by the recent collection of $2 billion in fines by the SEC, government investigators are taking the issue of “out-of-channel” communications seriously. We expect this trend not only to continue, but to grow.
Managing off-channel communications is more than a compliance issue, it’s also a business issue. Companies need to know what their employees are saying to their colleagues, customers and regulators. And, just as important, they must have appropriate procedures in place to retain this information. For example, if a customer investigation or allegation implicates a company, not being able to access out-of-channel communications because they have been deleted or are not on the company’s servers precludes any chance of disproving claims. allegations.
We suggest you evaluate your policies and implement a risk-based approach that ensures you have access to information and also allows you to do business. This is a complex problem with no single solution. Realistically, companies can’t force employees to only use their work email and never use their personal devices. Instead, the best solution is to manage this problem by allowing the use of personal devices and messaging apps while designing compliance controls as an effective and comprehensive program.
If you have questions about the effectiveness of your off-channel communication policies or would like to discuss improving these policies before the next DOJ announcement, please contact us. For more information, please contact a member of the firm white collar crime practice or government investigations practice.