.png)
Navigating the legal and compliance challenges associated with professional messages that self-destruct from one day to the next can be a daunting task. These ephemeral messages – inherent in commonplace apps like Signal and What’s App – present companies with a dilemma between data retention and monitoring requirements and protecting data privacy.
During the C5 Anticorruption London conference on 20 June 2023, FRA founding partner Frances McLeod joined an international panel of lawyers and compliance experts to share insights on the risks of and practical approaches to dealing with ephemeral messages in the workplace. Martine Beamon (Partner, Davis Polk & Wardwell) shared the US enforcement perspective as well as insight from her role as defense counsel to financial institutions and individuals; Marie-Laure Pedamon (Compliance Director - Business Group Compliance Lead, NOKIA) and Christina Marshall (Regional Compliance & Ethics Officer – EMEA Lead, Oracle) made invaluable contributions from an in-house, non-financial institution perspective; and Patrick Rappo (Partner, DLA Piper) moderated and gave input on the UK environment.
Regulatory demands are growing but remain vague on the “how”, especially outside the financial sector
The recent buzz on this topic in legal and compliance circles has been sparked by the DOJ’s March 2023 guidance, incorporating ephemeral messaging policies and controls into its Evaluation of Corporate Compliance Programs, indicating that scrutiny would expand beyond the financial services sector, where retention obligations have long been implicit [1]. This followed the 2022 ‘Monaco memo’ declaring that a robust compliance program should include effective policies governing personal devices and third-party messaging systems, not only ensuring collection and retention, but also monitoring and enforcing those policies [2]. The fact that the SEC and CFTC collected $1.8 bn from various banks in 2022 for failing to maintain and preserve such messages made the regulatory and commercial risk all the more concrete for observers [3].
However, the C5 panel highlighted that financial institutions (FIs) have operated under strict obligations to keep detailed records of transactions and communications for decades. The norm had been established even before the era of digital communication. It was therefore not surprising that about 55% of attendees polled at the C5 conference said their companies had no policy covering ephemeral messaging – not even as part of a wider electronic communications policy – if most were not FIs.
2022’s sweeping fines revealed that broker-dealers were failing to put in place the technology, policies and enforcement needed to keep a firm grasp on the ephemeral, despite historically high regulatory demands. Companies outside financial services understandably have some way to catch up.
Technology is only part of the answer
FRA founder Frances McLeod noted that traditional forensic imaging tools did not always work on ephemeral messaging systems. Some technologies and methods were available today, for example, to establish different profiles (business and personal) in a single device, or use gap analysis to detect where important messages may be missing. However, these tools were not foolproof and may not navigate different concerns around data privacy. The way forward is not simply a question of technology, but of legal and compliance teams working with IT to ensure the right culture and policies were introduced to the workforce. Where and how monitoring tools are installed will need to take data protection considerations into account.
The threat of heavy SEC and CFTC fines weighed against the ubiquity of messaging systems in the modern business environment, make it an easier decision for FIs to invest significantly in bringing these practices in line with regulatory expectation. For non-FIs waiting to see how enforcement will land for everyone else, the equation isn’t so clear.
The costs and benefits (and practicalities) of pursuing best practice in data retention will look different to each organization. “Bring Your Own Device” (BYOD) policies may be banned for high security sectors, but there is no guarantee that users will draw lines in practice when using their different devices. On the other hand, some companies may be prepared to take the less costly route of allowing personal devices, but they run the risk of having to pursue access to personal devices if an investigation calls for it.
Multinational companies must weigh data retention against data privacy risks
Regardless of sector, companies operating across different jurisdictions cannot ignore today’s complex landscape of varied data privacy regimes, blocking statutes, secrecy acts and more. Even banks do not have free reign to track or seize personal phones. One panelist noted that even in the US – outside the firm reach of GDPR – lawyers were sometimes hired to come between investigators and employees to assure both sides that the work-related data being pursued did not breach privacy. This would clearly be a costly workaround for companies, but a cost greater than providing the full workforce with professional phones outfitted with the technology to monitor and track communications? The assessment must lie with senior management, legal, compliance and IT teams together, drawing on expert advice as needed.
A risk-based approach remains core to an effective and defensible plan of action
So where to begin? As is the case in more traditional aspects of anticorruption compliance programs, the key to presenting “good faith” efforts to regulators when needed is to start with a robust risk assessment and document a holistic approach to tackling the use of such systems in each company. If it isn’t proportionate for a company to pursue the standards of financial institutions, it must be prepared to explain the choices made instead.
The panel offered several top tips to consider when conducting a tailored risk assessment, including polling employees to find out which systems were most used and why, and assessing the suitability of technology used for internal investigations . IT teams should take ownership of identifying new technology as it becomes available and work with the business and compliance to ensure relevant policies on acceptable tools and usage thereof are updated as near to real time as possible.
Patrick Rappo summed up the discussion by noting that the questions at hand were how to access ephemeral data, how to protect it once you have it, and then how to interpret it. Companies and their advisors should share best practice and engage objective advice. No system will be water-tight, but best practice can be adapted.
[1] https://www.justice.gov/criminal-fraud/page/file/937501/download
[2] https://www.justice.gov/opa/speech/file/1535301/download
With thanks to the panelists:
- Patrick Rappo, Partner, DLA Piper
- Martine M Beamon, Partner, Davis Polk & Wardwell
- Christina Marshall, Regional Compliance & Ethics Officer – EMEA Lead, Oracle
- Marie-Laure Pedamon, Compliance Director - Business Group Compliance Lead, NOKIA
- Frances McLeod, Founding Partner, FRA
FRA was a proud sponsor of C5’s Anticorruption London 2023.
.png)
