Third party messaging apps have become an area of particular focus for the U.S. Securities Exchange Commission and the U.S. Department of Justice, both of which have issued their own guidance on the matter. Morrison Foerster partners James Koukios and Haima Marlier tap into their extensive legal and governmental expertise to talk about the risks third party messaging poses, SEC and DOJ expectations, and best practices for this swiftly evolving technology.
Let’s start from the top of the mountain: What exactly is third party messaging?
Haima Marlier: Third party messaging, very broadly, refers to messaging applications that are not manufactured by the developer of the device that you are using. Popular third party messaging applications include WhatsApp, WeChat, Telegram, Signal, Slack, Discord, and the chat function of Zoom or Microsoft Teams. Text messaging is also a third party messaging application from the perspective of many organizations, since your text messages are on your smartphone, but your organization is not necessarily the controller of that data.
This topic is really important, given how ubiquitous this type of communication is today. Based on recent research we did, 16 million text messages are sent per minute. For WhatsApp, 100 billion messages are exchanged daily. WeChat has 1.3 billion active users. It’s an important topic, and it is affecting every organization.
What are the DOJ and SEC focusing on regarding third party applications?
James Koukios: In 2017, the DOJ criminal division released the first version of the Foreign Corrupt Practices Act (FCPA) corporate enforcement policy. Among the many things in that document— which was geared towards encouraging companies to self-disclose, cooperate, and remediate FCPA issues—one of the things they said was companies should ban their employees from using third party messaging applications.
That didn’t go over very well, The DOJ, to their credit, pivoted pretty quickly on that and released a revised version of the corporate enforcement policy that said, essentially, you need to take appropriate steps to govern employees’ use of third-party messaging applications. And it kind of sat there for a while with no further guidance.
But in 2021, Lisa Monaco, the Deputy Attorney General, came forward with more guidance, which peaked with the 2022 Monaco memo. Essentially, what DOJ said was, there are three basic elements that you need to put into place for your compliance program. You need to have a policy on third party messaging. You need to train your employees on that policy, and if you detect violations of that policy, you need to discipline your employees who violate the policy.
Other than that, they’ve given a fairly broad range for companies to try to fill in those gaps, which I think recognizes that this is a very complicated subject. There are a lot of different applications, and different countries have different privacy regimes. There is some flexibility in how companies can approach third party messaging when it comes to their employees.
One other thing that DOJ has emphasized in the Monaco memo is that it’s not only a compliance and governance issue. For companies to have an effective compliance program, they need to have these kind of policies in place. What DOJ has also said is that in order to get full cooperation credit, you have to have in place policies and procedures to be able to preserve, access, and produce [to DOJ] third party messages that their employees may be using as well.
Haima Marlier: When the SEC issues a subpoena or an inquiry and asks you for all documents, which include communications about a particular topic, it has been the longstanding practice of the SEC to understand that that can incorporate things like text messages. The clearest guidance in my view, really started to emerge in the fall of 2021. That’s when the SEC’s Director of the Division of Enforcement, Gurbir Grewal, gave a pretty direct speech where he said that companies that fail to preserve and to produce to the SEC third party messaging application communications “delay and obstruct investigations, and they raise broader accountability, integrity, and spoliation issues.” That’s very direct. Spoliation is a serious issue, and there can be severe penalties to companies and individuals that spoliate. He went on to say that companies need to actively think about and address compliance issues raised by their employees’ use of third party messaging, application, communications, and other off-channel communications. So I think were we land is a practical approach by the SEC. They’re not saying, “don’t do it.” They recognize that it’s part of how many companies have to do business. The SEC is just saying, “come up with a framework, come up with policies, and a way to address compliance issues that may arise from this.”
Is the focus on third party messaging a new development?
James Koukios: From the DOJ side, I’d say it’s more of an evolution. When I became an FCPA prosecutor in 2009, it was during the heyday of Gmail. Employees who wanted to do things wrong had figured out they can’t send emails on their corporate email accounts because they knew they were accessible by the company and outside lawyers. So a lot of them shifted over to Gmail or Yahoo or Hotmail or whatever it may be. If you go back to some of the enforcement actions from the 2009-2015 era, you’ll see lots of Gmails referenced in those. But it’s a cat-and-mouse game. Once people started figuring out that the DOJ could get their Gmails, the technology started shifting away from personal email addresses to third party messaging apps. And I think DOJ started to see that in their cases.
I think part of that 2017 message by DOJ—that companies need to stop their employees from using messaging apps—was in part because they were concerned that these messaging apps were being used for nefarious purposes, but also that DOJ was no longer able to get those messages as easily [as email]. Even WhatsApp, which is U.S.-based, is harder for DOJ to get than Gmail was. And WeChat or Signal or any of the ones that are not U.S.-based might be impossible.
One of the first times I saw this in a DOJ FCPA enforcement action, there was a long complaint affidavit justifying the arrest of a person suspected of an FCPA violation. And there was a footnote in there by the agent that, to paraphrase, said “based on my training and experience criminals love instant messages because that’s how they get away with their crimes.” I think that was reflective of the viewpoint of DOJ and FBI and law enforcement in 2016 and 2017. That has evolved over the years and led to this engagement with the business community that understands a lot of legitimate business is done over these programs, but there needs to be a control on them for compliance and investigative purposes. That’s why even though it’s not a new issue, we’re hearing more discussion about it.
Haima Marlier: There’s a huge uptick in SEC enforcement actions in this space. The SEC and CFTC have gotten a combined $2.2 billion in penalties so far, and the cases still keep coming. There were cases in May against broker-dealers and registered investment advisors for failure to preserve what the SEC says was pervasive off-channel communications including text messaging, WhatsApp, WeChat, et cetera. The SEC’s focus was that many of these third party messaging communications, including by very senior executives at some of these institutions, were sent on personal devices.
What has been less known but is actually more important, is that this is not just a compliance issue for SEC registrants. It is a compliance issue for every organization that does any form of business in the United States, public or private. Any organization can be on the receiving end of an SEC or DOJ inquiry or subpoena. And those agencies have now been very clear that they expect a compliance framework to be in place.
Are there any regulatory investigations, matters, or resolutions worth discussing that really highlight regulators concerns about the use of third party messaging?
Haima Marlier: If you go to the SEC’s website, they have a listing of all of the companies they have charged thus far. You’ll see that the types of applications and how they were used are all different. But the common thread is that there was a failure to preserve.
There have also been some pretty significant sanctions in civil litigation. For example, earlier this year in a multi-district litigation, a large tech company was sanctioned for spoliation of certain chats that were on the company’s servers. This isn’t a case of a smartphone with an application that’s only accessible if you image that phone. What happened was litigation began against this company, the company sent out litigation holds and preserved emails and SharePoint sites and things like that, but for whatever reason chats in things like Zoom, Teams, or Google were kind of an oversight and were not preserved.
“This is not just a compliance issue for SEC registrants.
It is a compliance issue for every organization.”
We’re talking mostly here about the government and what the consequences can be with the SEC and the DOJ, but once public companies see that there is an SEC or a DOJ inquiry, there’s often follow-on civil litigation, and now it’s clear that this is an issue as well.
James Koukios: If you go to FCPA enforcement actions, you will see in the statement of facts where DOJ specifically calls out when the “bad guys” have used third party messaging applications in furtherance of a bribery scheme. And there’s several reasons why they do that. One is just jurisdictional. Oftentimes those give you the jurisdictional hook because they’re U.S.-based or they pass through the U.S. or something that you need for an FCPA violation. Second, it’s just great evidence. It’s always better to have the defendant’s own words being used against them in those things. But third, and I think most important, is to send a message to the business community: “We’ve told you that employees have been using these for nefarious reasons and that you need to get a handle on this. Let us give you some concrete examples of how it’s being used.” And often they’ll name the third party messaging application as well. I think this is a very clear signal that DOJ is trying to send to the business community. This is not empty talk.
What are some risks associated with the company’s failure to provide a means to retain and access business communications on personal devices and third party messaging apps?
Haima Marlier: The risks are really enormous. That just can’t be understated. Let’s say that there’s no government inquiry, it’s just business in the ordinary course. Why should I care about this? Internally, your organization could lose relevant data. You don’t know what you may need it for. You may never need it for a government facing purpose, but it may be that it’s important for you to have that data. Also, if you don’t have a compliance framework in place for third party messaging applications, you are losing your ability to monitor your employees’ conduct and make sure it’s consistent with the law, but consistent with the values of your organization.
There is a laundry list of external risks on the civil side, including the loss of cooperation credit if you are facing an SEC inquiry or investigation. The SEC can bring a range of violations related to a failure to preserve relevant communications. There can be books and records violations, failure to supervise internal controls violations. The SEC can seek civil penalties. They can take adverse inferences against the organization. Courts could later preclude you from using certain defenses if, in fact, the defense is based on some kind of evidence that you failed to preserve, even though you had a duty to do so. There can be sanctions for spoliation, the most severe of which would be a default judgment against you in civil litigation. And then finally, there can be a lot of reputational damage to an organization when there’s a failure to preserve relevant information.
James Koukios: From a DOJ and government enforcement perspective, whistleblowers will take screenshots of their WeChat or SnapChat conversations and they’ll email them to the company—or worse, the enforcement agencies—and say, look, this is what’s been going on. If the government has that and you don’t, it really puts you at a disadvantage when you’re conducting an investigation or you’re negotiating with the government about what the evidence might show.
There can also be more direct consequences. In the DOJ guidance, they state that to get full cooperation credit, you need to be able to access, preserve, and ultimately produce to the government third party messaging apps. One question they’ve been asking a lot lately is, “Have there been times where an investigation has been impacted because you’ve not been able to obtain hird party messages?” If you have an enforcement action, you can lose some of those credits, which will result in a higher penalty and potentially enhanced compliance requirements as well. So there’s definitely very tangible risks associated with a company’s failure to provide a means to retain and access these types of communications.
What do you generally consider to be best practices to minimize regulatory risks and exposure on third party messaging?
Haima Marlier: The culture of compliance within an organization is so important. At certain organizations, in times past, compliance departments raised these issues but couldn’t get traction on some of the compliance frameworks that they wanted to set up. That day is no more. Folks are listening to their compliance professionals. And those people can be a huge value add. The amount of money you’ll spend on a compliance framework now is nothing compared to when James or I get involved and there’s 70 witness interviews in a million documents, and we’re trying to negotiate for the government.
The four best practices are: 1) some kind of risk assessment of where you are now, 2) establishing or enhancing policies and procedures based on that risk assessment, 3) conducting training, and 4) having some kind of monitoring to know what your employees are actually doing.
What a risk assessment would involve is organizations need to determine the nature and the extent of third party messaging application use by their employees. For some organizations, it may not be much, but I think that will be rare in our world today. Once you determine the use, you can conduct a risk assessment and determine things like what apps should and shouldn’t employees be allowed to use, and put some parameters around it.
On the policies and procedures point, organizations need to establish or revisit clear policies governing employee use of third party messaging applications for business purposes. Organizations that work closely with their compliance departments often engage external counsel like MoFo or other firms to design policies to fit not only their business, but their risk profile. The risk profile of every organization will be different.
James Koukios: Training is a relatively easy thing that companies can work into their annual training programs, keep a record of it, and to be able to show to enforcement agencies if you need to: “Look, we have 98% compliance with our training. People have to pass this exam. We are very confident that people know about this policy.”
Monitoring and discipline is very difficult. We’re not necessarily at a point where technology permits that very easily, and privacy laws can really interfere with those efforts. I think companies are really struggling with that right now. Some of the things that I’ve heard companies doing are, as part of the audit, they’ll sit down with employees and just ask them to look at their phone. That, of course, depends highly on whether the employee’s willing to do that and what local labor and privacy laws may be. Another thing companies are doing is when they conduct an internal investigation, they’ll have a module built into their questions about the use of third party messaging applications and whether the employee was willing to share those with the investigator.
But things are evolving right now and companies are struggling with the technology, data privacy and labor laws around the world. So it’s very difficult. However—and I think this is a really important message that DOJ has sent—just because it’s difficult doesn’t mean you can ignore it. One of the most important things in the Monaco memo and the recent guidance from DOJ is that companies can’t just throw their hands in the air and not do anything.
A lot of what DOJ is saying is they understand the difficulty, they are open to different approaches, and they are recognizing the limitations that companies face. The most important thing right now is to have a good faith reason for why you have constructed your compliance program around third party messaging the way you did. It’s not going to be perfect. There’s too much in development right now.
But if you are able to say, “we did a risk assessment, we came up with what we thought was a reasonable policy, we trained on it, and then we took steps to monitor and discipline on that,” DOJ is pretty open to that right now. Putting that investment in now to get a handle on those things can really pay off in the long run if you find yourself before the agency, trying to justify something that happened.
This article has been excerpted from an episode of the Ethicast. For the full version of this interview, please visit the Ethicast YouTube page, or tune in to the podcast version on Apple, Spotify, Google, or Amazon Music.
ABOUT THE EXPERTS
James Koukios is a partner with Morrison Foerster, where he is co-chair of MoFo’s Securities Litigation, Enforcement, and White Collar Defense Group and serves as co-head of the firm’s FCPA + Global Anti-Corruption Practice. James represents companies and individuals in high-stakes government enforcement actions and complex internal investigations. He draws on his experience as a federal prosecutor, where he tried over 20 federal jury cases and supervised hundreds of white collar investigations.
Haima Marlier is a partner with Morrison Foerster, where she is co-chair of MoFo’s Securities Litigation, Enforcement, and White Collar Defense Group. Drawing on her experience as a former Securities and Exchange Commission Senior Trial Counsel, Haima represents public and private companies, financial services providers, and individuals in SEC and other government investigations, Financial Industry Regulatory Authority (FINRA) investigations, and internal investigations, as well as in related litigation.