On September 27, 2022, the U.S. Securities and Exchange Commission (SEC) announced settlements against 11 major financial institutions, resolving an industry sweep into employees improperly using personal messaging applications to conduct business. This practice, commonly referred to as “off-channel communication,” occurs when employees engage in business communications on their personal devices or on unapproved third-party applications like WhatsApp or WeChat. While the financial sector, unlike other industries, is required by law to keep copies of all business-related communications to or from employees, off-channel communications are pervasive across industries. To that end, the U.S. Department of Justice (DOJ) is preparing guidance for corporations on this issue, and we expect it to take a strong stance by recommending that corporations have robust, transparent, and meaningful compliance solutions to this problem.

Although the SEC brought these cases against banks, the DOJ’s guidance will apply to every company under investigation in any industry—not only companies in the financial services sector. So, whether or not this is an issue your company has addressed before, off-channel communication is a growing issue.

What Are Off-Channel Communications? 

In today’s high-tech environment, monitoring employee data is an enormous burden. From questions of employee privacy to the realities of storing massive quantities of data, firms are constantly confronted with new challenges on how best to retain essential business information. And then add on the issue of employees using unapproved forms of communication to conduct business.

Many employers do not know that their employees are using off-channel communication and have no policies covering their use or method of retaining the conversations. So, when faced with an investigation or litigation, employers cannot retrieve, produce, or use these critical pieces of evidence.  

These unapproved forms of communication can take many forms and are rarely used with malicious intent. In reality, many employees simply find it easier to communicate over WhatsApp than on their work phone or on their company-approved app. Other times, clients may initiate communication on a new platform and the employee is trying to ensure exceptional client service by using the client’s preferred method of communication. 

Managers and executives, who often use these unofficial communication channels themselves, must develop policies and procedures to ensure that they retain these communications, because the only other option, prohibiting their use, is an increasingly unrealistic option. These issues were the very basis for the SEC’s investigation and recent settlements with the banks. 

Financial Sector Settlements

After a multiyear investigation, the SEC concluded that 11 major banks’ employees were utilizing off-channel communications to conduct business. The issue occurred “at all seniority levels,” and the number of unretained messages sent, per bank, numbered in the tens of thousands. These communications were both internal and external, and often contained crucial business information, including analysis, market trends, market color, and discussions involving broker and investment advisors.  

In the settlements, the banks collectively paid fines of almost $2 billion and were required to hire compliance consultants, change their policies and procedures, and work with the SEC to remediate the issues. Of the 11 cases, the SEC orders discussed only two banks’ remediation efforts. Each of those banks took the following steps:  

• provide training focused on proper communication techniques;
• have senior managers send clear messages to employees about the use of unauthorized communication channels; 
• enhance surveillance protocols for identifying and investigating potential off-channel communications;
• communicate surveillance findings to supervisors; 
• penalize employees for off-channel communication;
• invest in new technology to facilitate compliant employee communication; and
• conduct internal investigations and, if necessary, collect data from employees’ personal devices.

Handling Off-Channel Communications at Your Company

Every industry faces similar risks with respect to “off-channel” communications, and government investigators are increasing their scrutiny of companies’ attempts to remediate the issue. For example, in its Corporate Enforcement Policy, which covers Foreign Corrupt Practices Act investigations and has been applied to other types of cases, the DOJ specifically calls out “ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications.” And just last month, Deputy Attorney General Lisa Monaco announced new guidance about the DOJ’s corporate criminal enforcement efforts. Mirroring what led the SEC to its investigation of the banking industry, the guidance specifically addressed the use of personal devices and third-party applications and how they impede companies’ abilities to monitor communications for misconduct and recover them during an investigation. While the DOJ did not promulgate new guidance in this memo, Deputy AG Monaco tasked the Criminal Division with developing best practices so that, in the near future, it can announce a formal policy on the issue. The lack of new rules does not mean that you can wait to address this issue. As evidenced by the SEC’s recent collection of $2 billion in fines, government investigators are taking the issue of “off-channel” communications seriously. We expect this trend to not only continue, but to grow.   

Managing off-channel communications is more than a compliance issue—it’s also a business issue. Companies need to know what their employees are saying to colleagues, customers, and regulators. And, as important, they need to have appropriate procedures to retain that information. For example, if an investigation or allegation by a customer implicates a company, not being able to access off-channel communications because they have been deleted or are not on company servers prevents any chance of refuting the claims.

Recommendations

We suggest evaluating your policies and implementing a risk-based approach that ensures that you have access to information and also allows you to conduct business. This is a complex issue with no one-size-fits-all solution. Realistically, companies cannot force employees to use only their company email and never use their personal devices. Instead, the best solution is to manage this issue by permitting the use of personal devices and messaging apps while designing compliance controls as an effective and comprehensive program.   

If you have any questions about whether your off-channel communication policies are effective, or if you would like to discuss improving these policies before the DOJ’s forthcoming announcement, do not hesitate to reach out to us. For more information, please contact a member of the firm’s white collar crime practice or government investigations practice.