In March 2023, the DOJ Criminal Division revised its valuable Evaluation of Corporate Compliance Programs (ECCP) to emphasize two priorities for corporate compliance: (1) the preservation of communications made via personal devices and instant messaging apps and (2) compliance incentives and disincentives in executive compensation. While both issues can at least in theory be relevant to compliance efforts, the DOJ’s focus may be impractical and could threaten the more important, everyday work being done by compliance departments.
The use of personal devices and messaging apps for corporate communications is an area the Criminal Division first explored in 2017, only to encounter massive resistance by companies who knew that they could not stop employees from texting and using apps like WhatsApp to communicate with clients and business partners. After a brief spurt of announcements, the DOJ grew largely silent on the issue and it seemed to recede from view.
The DOJ is now revisiting the issue which has only gotten more complicated over the ensuing six years, with the increased use of a variety of messaging apps and with corporate bring-your-own-device policies becoming the norm.
The revised ECCP makes clear that the DOJ is focused on the preservation of communications. In evaluating a corporate compliance program the Criminal Division will ask:
- Which communication channels are permitted for business communications, and what structures are in place to ensure access and preservation of those channels?
- What preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each?
- What is the company’s rationale for its policies, including if they vary by jurisdiction or with differing applicable laws?
- What is the company’s “Bring Your Own Device” policy, and what is the rationale behind the policy?
- How are the company’s policies enforced and what exceptions or limitations exist?
- What are the consequences for employees who refuse, and does the company regularly exercise its rights under the policies?
A company’s ability to enforce the type of policy the DOJ is now encouraging is dubious at best. WhatsApp and other messaging apps are now ubiquitous. In trying to stem their use, the DOJ appears to be on the wrong side of history. Technological solutions that make communication more efficient will be used by business, period. From the train and airplane to facilitate in-person conversations, to the telephone, the fax machine and then email, this has always been the case.
Email was the first form of communication to leave companies and the DOJ with an easily-obtained evidentiary trail and it was not by chance that the rise of corporate prosecutions coincided with the widespread use of email. The DOJ seems unwilling to go back to the days – i.e., all of history prior to the 1990s – of unpreserved communications.
Most corporate policies are susceptible to auditing and the ECCP rightly focuses a great deal on companies auditing all aspects of their compliance programs. Whether the DOJ is expecting companies to audit employees’ personal devices and messaging apps is very much an open question and fraught with privacy issues.
It is compliance personnel who are on the front lines of trying to enforce this virtually unenforceable policy. Doing so will take time and effort away from the everyday compliance blocking and tackling that is challenging enough to achieve. And, perhaps even more damaging to the compliance mission is the inevitable injury to credibility that will befall compliance departments when executives look at them with bewilderment as they ask, in a variety of languages, some version of: “Wait, you’re telling me I can’t answer my client’s WhatApp message?”
This loss of credibility could spill over onto the truly essential elements of a compliance program which the ECCP, prior to this latest revision, set forth so well.
In addition to the preservation of communications, the revised ECCP focuses on whether company policies permit clawing back executive compensation in cases of misconduct and/or supervisory responsibility for misconduct. Companies will be assessed on the policies they have in place, how well employees are made aware of those policies, and how those policies are, in fact, put into effect when a situation arises.
While the idea of having financial incentives and disincentives with regard to compliance intuitively makes good sense, implementing the measures now suggested by the DOJ will not be easy and may not be practical.
Legal systems around the world will deal differently with the idea of recouping previously promised, earned or even awarded compensation. The burden of proof in such situations will undoubtedly fall upon the company and the burden may well be too high to meet in many, if not most, instances. Corporate misconduct is, of course, often more gray than black and white.
As with communications, it is compliance personnel who must take the lead and use their precious capital to cause companies to implement an unpopular compensation policy which may never be used and may be impossible to enforce. Better use can and should be made of compliance’s time and influence.
Both the compensation and the communications policies discussed above can be justified in theory. Every responsible company, after all, has an interest in ferreting out misconduct and then punishing the executives involved. But, in pursuing one policy that is virtually unenforceable and another that will be used rarely, if at all, the Criminal Division may be chasing some platonic ideal of compliance which will come at a cost to the more important, everyday essentials of compliance. In this case, the perfect may well be the enemy of the good.
Comments are closed for this article!