The DOJ’s new policy recognizes third party messaging applications are “ubiquitous”
DOJ has long sought to ensure, in policy and practice, that evidence related to corporate and individual wrongdoing is preserved and available for review. Given the explosion in the number of third party messaging applications in recent years and their increased use for business purposes, it is unsurprising that DOJ has turned its sights on these communications platforms as part of its broader enforcement strategy. As such, the use of these third party messaging applications poses new compliance risks for companies. This compliance risk is heightened – and DOJ’s focus will be sharpened – when the use of third party messaging applications by employees involves “ephemeral messaging” applications that delete messages after sending – where, by design or by user setting, retention of communications will not occur.
The reason for this risk is that the ability to preserve business-related electronic data is a basic yet important step in responding to DOJ or regulatory requests for documents. DOJ recognizes that third party messaging communications are likely to be much more frank and unvarnished even than email. Moreover, when companies internally discover misconduct, the unavailability of such communications makes it far more challenging to fully and effectively investigate potential wrongdoing and to assess difficult questions regarding whether to self-disclose potential misconduct, especially in light of heightened incentives for doing so.
Although the Securities and Exchange Commission (SEC) has long prohibited the use of messaging applications by certain securities dealers, historically DOJ has lacked a formal policy regarding companies’ use of such applications – even though the first question following a voluntary self-disclosure often has been whether the company has imaged personal device data. However, in recent months, DOJ has made clear that companies must revisit and strengthen their policies and the rationale behind these policies, as it relates to third party messaging and personal devices. As a result, an effective corporate data preservation policy, particularly as it relates to messaging (including ephemeral messaging) is now of even greater importance.
Recent changes by DOJ
The March 2023 guidance was previewed in a September 2022 memorandum in which Deputy Attorney General Lisa Monaco announced revisions to the Department’s Corporate Criminal Enforcement Policies, explaining that moving forward, corporations seeking cooperation credit would be judged, among many other aspects, on whether they have effective policies surrounding the use of “personal devices and third party applications” to “ensure that business-related electronic data and communications are preserved.”1 DAG Monaco directed the Department’s Criminal Division to study the best corporate practices surrounding these applications, and to modify its policies to incentivize good behavior by corporations.
In recent remarks delivered at the American Bar Association’s National Institute on White Collar Crime in Miami, Florida, Assistant Attorney General Kenneth A. Polite announced changes to the department’s “Evaluation of Corporate Compliance Programs” (ECCP), the criteria it uses to evaluate a corporate compliance program.2 AAG Polite explained that there were “significant changes to the ECCP, including how [the Department] consider[s] a corporation’s approach to the use of personal devices as well as various communications platforms and messaging applications, including those offering ephemeral messaging.”
Under the revised ECCP, when evaluating a corporate policy for detecting and investigating potential misconduct and violations of the law, DOJ prosecutors will now consider:
The corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications (including ephemeral messaging applications);
Whether such policies are tailored to the corporation’s risk profile and specific business needs;
Whether the policy insures that to the greatest extent possible, business-related data and communications are accessible and amenable to preservation by the company;
How such policies have been communicated to employees; and
Whether the corporation enforces the policies and procedures on a regular and consistent basis.3
The policy changes implemented by DOJ and the increased attention paid by the Department to corporate policies surrounding third party messaging means that companies must now consider whether current policies are sufficiently robust. DOJ made clear that, in evaluating these factors, it would ask probing questions, and a company’s ability to answer effectively would impact DOJ’s analysis of the company’s compliance program. Following DOJ’s guidance, three areas warrant particular attention:
Policy environment: Companies should expect that DOJ will probe whether and to what extent there are policies in place that clearly define the circumstances under which employees may use off-company messaging systems and personal devices to communicate for work purposes. If there are business needs for employees to use such systems and devices instead of corporate systems, those needs need to be memorialized in policy and articulated clearly to employees. And companies should consider whether, if third party messaging applications are an approved method for corporate communications, whether and how those messages can be preserved. It is fair to expect close DOJ scrutiny on this issue, especially where a company learns that certain potentially relevant evidence exists on messaging applications unavailable for company review.
Ephemeral messaging applications: DOJ will be skeptical of the use of ephemeral messaging applications by employees, and that is especially so if employees are permitted to use such applications for work purposes consistent with existing company policy. Companies should consider whether it is prudent to altogether prohibit employees from using any messaging applications that quickly and automatically delete messages and thereby prevent preservation efforts, and whether companies should require users to change their settings to ensure preservation of data.
Deterrence and risk management: Companies should also consider what consequences are in place for employees who don’t abide by company policies. And for multi-national companies, policies may need to be tailored by jurisdiction, given that there are wide-ranging local requirements and expectations regarding privacy rights across the globe.
We have found challenges even where companies have sought to address these concerns. Data privacy requirements, such as obtaining user consent or restrictions on data transfer, can create legal issues even where a company is successful in obtaining personal devices. Enterprise solutions – that is, company-controlled versions of messaging platforms – may not be accepted by customers or other third parties, or even worse, may increase security concerns. Companies should also consider state employment laws, particularly related to reimbursement of business expenses, when employees are required to use personal devices for work-related purposes or communications. Each of the issues must be carefully considered and weighed as companies evaluate their existing policies in light of DOJ’s involving expectations and guidance.
DOJ’s new Compensation Clawback Pilot Program
DOJ’s recent changes to their enforcement framework also included the creation of the Criminal Division’s “Pilot Program Regarding Compensation Incentives and Clawbacks.” Although the SEC had adopted rules in January 2022 requiring securities exchanges to mandate that issuers develop and implement policies providing for the recovery of incentive based compensation in the event of accounting restatements,4 DOJ did not previously have policies in place to incentivized corporate “clawback” of compensation.
However, just this month, DOJ announced the creation of a three-year pilot program, commencing March 15, 2023, meant to “reward corporations with compliance-promoting compensation programs.”5 The “Pilot Program on Compensation Incentives and Clawbacks” (the Program) is composed of several parts.6
During the Program, every corporate resolution entered into by the Department’s Criminal Division will require the resolving company to implement compliance criteria in its compensation and bonus policies. The Program notes three non-exclusive criteria that may be required, including: a prohibition on bonuses for employees who fail to satisfy compliance requirements; disciplinary measures for employees who violate applicable law, as well as for knowing or willfully blind supervisors of these employees; and incentives for employees “who demonstrate full commitment to compliance processes.” In public remarks made in March 2023, Deputy AG Monaco noted that recent plea agreements had included these types of requirements, including a December 2023 agreement with a European bank, that resulted in changes to the bank’s bonus system, whereby executives with a failing compliance score will also fail to secure a bonus.7 In requiring such criteria as part of a corporate resolution, federal prosecutors will have discretion to take into account applicable foreign and domestic laws.
These requirements under the Pilot Program are alongside more general changes DOJ made to the ECCP to “consider more closely compensation structures and consequence management [procedures] when evaluating compliance programs.” What is consequence management? It is a management theory that seeks to hold employees directly responsible for their actions. In practice, the ECCP encourages companies to consider both positive and negative incentives. For example, for positive incentives, the revised ECCP now includes directions to prosecutors to consider if the company has “considered the impact of its financial rewards and other incentives on compliance,” such as structuring some percentage of executive compensation to encourage enduring ethical business objectives, designating employees as compliance champions, and making compliance a means to career advancement. For negative incentives, the revised ECCP directs prosecutors to consider whether the company publicizes disciplinary actions internally and whether the company has “a policy for recouping compensation that has been paid.”
In a recent case that Hogan Lovells handled, DOJ provided positive incentives for the company’s decision not to pay deferred compensation to a former employee. At the same time, companies should be cautious with implementing negative incentives and consider state employment laws that may restrict a company’s ability to “clawback” compensation already earned and paid, even if done within the Program’s framework. By way of example, California prohibits employers from clawing back or otherwise requiring employees to forfeit compensation already earned, and doing so may subject a company to various statutory penalties, derivative claims, attorneys’ fees, and costs.
Deferred fine reduction
The second component of the Program offers potential fine reductions to companies for money they attempted to claw back from employees who engaged in wrongdoing – provided that the company “fully cooperates and timely and appropriately remediates” and “has in good faith initiated the process to recoup such compensation before the time of resolution.” Rather than paying DOJ the entire fine at the time of resolution, a company will receive a discount for any money they were attempting to claw back. The company only needs to repay DOJ for any of the discount that they were unable to claw back; the company is not expected to otherwise repay DOJ for any money that actually did claw-back.
This component also will give DOJ prosecutors discretion to provide a 25 percent reduction in the amount to be returned in the event of a good faith yet unsuccessful attempt to recoup compensation. Although time will tell how this and the other elements of the Program will be applied in practice and how the Program may interact with other federal and state laws, this initiative presents a new framework that companies and compliance professionals must now account for in their compliance program implementation and conduct.
DOJ’s questions – about messaging applications and consequence management – appear straightforward. Answering them, however, is far more challenging. Hogan Lovells is actively engaging with clients on these new areas of compliance, and we look forward to working with you to benchmark your program.
Authored by: Maria Durant, David Sharfstein, Peter Spivack, Matthew Sullivan, Tao Leung, and Jason Chohonis.