On September 27, 2022, the U.S. Securities and Exchange Commission (SEC) announced settlements against 11 major financial institutions, solving an industry sweep process in which employees abusively used personal messaging apps to conduct business. This practice, commonly referred to as “off-channel communication,” occurs when employees conduct business communications on their personal devices or on unauthorized third-party applications such as WhatsApp or WeChat. While the financial sector, unlike other industries, is required by law to keep copies of all business-related communications to or from employees, off-channel communications are ubiquitous in all industries. To that end, the US Department of Justice (DOJ) is preparing guidance for companies on this issue, and we expect it will take a strong stance by recommending companies have robust, transparent, and meaningful compliance solutions to this issue.
Although the SEC has filed these lawsuits against banks, the DOJ’s guidance applies to any company under investigation in any industry — not just companies in the financial services sector. Whether or not this is an issue your business has dealt with before, off-channel communication is a growing concern.
What is off-channel communication?
In today’s high-tech environment, monitoring employee data is a huge burden. From employee privacy issues to storing massive amounts of data, organizations are constantly faced with new challenges on how best to preserve critical business information. And then you add the problem of employees using unauthorized forms of communication to conduct business.
Many employers are unaware that their employees are using off-channel communications and do not have policies covering their use or method of maintaining the conversations. So when employers face an investigation or litigation, they cannot access, produce, or use this critical piece of evidence.
These unauthorized forms of communication can take many forms and are rarely used with malicious intent. In reality, many employees simply find it easier to communicate via WhatsApp than their work phone or company-approved app. In other cases, customers may initiate communication on a new platform and the agent tries to ensure exceptional customer service by using the customer’s preferred method of communication.
Managers and executives who often use these unofficial channels of communication themselves must develop policies and procedures to ensure they retain these communications, as the only other option to ban their use is an increasingly unrealistic option. These issues were the very basis of the SEC’s investigation and recent settlements with the banks.
Comparisons in the financial sector
After a multi-year investigation, the SEC concluded that employees at 11 major banks used off-channel communications to conduct their business. The problem occurred “at all levels of seniority” and the number of unsent messages per bank was in the tens of thousands. These communications were both internal and external and often contained important business information, including analysis, market trends, market colors and discussions with brokers and investment advisers.
In the settlements, the banks collectively paid nearly $2 billion in fines and had to hire compliance consultants, change their policies and procedures, and work with the SEC to fix the issues. Of the 11 cases, the SEC orders only affected the recovery efforts of two banks. Each of these banks has taken the following steps:
- Provide training focused on the right communication techniques;
- Have management send clear messages to employees about the use of unauthorized communication channels;
- improving audit logs to identify and investigate potential off-channel communications;
- notification of monitoring results to superiors;
- penalize employees for off-channel communications;
- invest in new technology to facilitate compliant employee communications; and
- Conduct internal investigations and collect data from employees’ personal devices as necessary.
Dealing with off-channel communication in your company
Every industry faces similar risks related to off-channel communications, and government investigators are increasingly scrutinizing companies’ attempts to fix the problem. For example, in its Corporate Enforcement Policy, which covers investigations of the Foreign Corrupt Practices Act and has been applied to other types of cases, the DOJ specifically identifies “volatile messaging platforms that undermine the ability of the corporation to adequately preserve business records or communications.” And just last month, Assistant Attorney General Lisa Monaco announced new guidance on the DOJ’s corporate prosecution efforts. The guidance reflects what prompted the SEC’s investigation into the banking sector, and specifically addressed the use of personal devices and third-party applications and how they affect companies’ ability to monitor communications for wrongdoing and recover them during an investigation . While the DOJ did not release any new guidance in that memo, Deputy AG Monaco tasked the Trial Chamber with developing best practices so they can announce formal guidance on the issue in the near future. The lack of new rules does not mean that you can wait to solve this problem. As demonstrated by the SEC’s recent $2 billion fine collection, state investigators are taking the issue of “off-channel” communications seriously. We assume that this trend will not only continue, but will intensify.
Managing off-channel communications is more than just a compliance issue—it’s a business issue too. Organizations need to know what their employees are telling colleagues, customers and regulators. And, just as important, they must have proper procedures in place to retain that information. For example, if a customer’s investigation or allegation involves a company, the lack of access to out-of-channel communications because they have been deleted or are not on the company’s servers precludes any opportunity to refute the allegations.
We recommend reviewing your policies and implementing a risk-based approach that ensures you have access to information and also allows you to transact business. This is a complex problem for which there is no one size fits all solution. Realistically, companies cannot force employees to only use their corporate email and never use their personal devices. Instead, the best solution is to address this issue by allowing the use of personal devices and messaging apps, while designing compliance controls as an effective and comprehensive program.