Earlier this month, the FCPA Blog published a post by Billy Jacobson about new Department of Justice (DOJ) policies regarding communications made via messaging apps and devices. He said he believed these policies “could threaten the more important, every day work being done by compliance departments.”
My post today is meant to cordially counter that argument, with the disclaimer that I work for a regulatory technology business that helps businesses archive, report on, and supervise such communications.
Compliance departments are well-poised to handle the challenge about which Mr. Jacobson speaks, and it’s totally within their competency and wheelhouse to do so, considering their closely related responsibilities, the assistance they can and should receive from colleagues and regulatory technology, and the nature of the skill sets compliance officers possess today.
According to digital consultancy Kepios’ January 2023 data report, 59.4 percent of the population of the planet uses social networking platforms regularly — 4.76 billion people. And the number of users is growing at an annualized rate of three percent.
All of which means the way we communicate with each other, including the way we do business, has changed completely, and the compliance and risk departments of businesses — as well as regulatory and law enforcement entities themselves — must evolve with these changes.
The decision to adopt and use any new technology to transact business and certainly to communicate about such transactions has always needed a proper analysis of the compliance risk.
The Securities and Exchange Commission and Financial Industry Regulatory Authority have been addressing these issues for years (see here and here, the latter one having been amended last year with a compliance date of May 3), making any emphasis on a need to monitor communications associated with messaging apps an extension of regulated entities’ risk-monitoring and reporting obligations.
At the DOJ, an agency that has been quite vocal about its cooperation credit regime and how to earn such credit in seeking a declination, it is logical that a demonstrated effort on a business’s part to preserve and produce evidence would be a feature of its revised Evaluation of Corporate Compliance Programs (ECCP).
In referring to the DOJ’s updated ECCP, the DOJ’s Criminal Division Chief Kenneth Polite (a former chief compliance officer) has said that chief compliance officers are well-suited to explain how compliance programs have been tested and adapted to meet the challenges of ever-changing risk, noting that doing so within investigations enables the compliance team to showcase its ownership of the compliance program.
But he also emphasizes that they should not be operating in this arena alone — nor should this be implied in any of DOJ’s recent policy developments. Polite says “[o]ther senior management should also participate, taking ownership of their role in the compliance program and demonstrating a commitment to compliance.”
That means the compliance officer, along with his or her colleagues in information security, operations, legal, and other areas, will have a role to play. The CCO will not carry the load alone, which is the case whether we are talking about preserving data from messaging apps or other types of data produced by the business.
To that end, there is regulatory technology that can help these professionals monitor, store, produce, and report effectively on communications from a variety of channels – whether you’re talking about email, intranet, social media comms, instant messaging, blogs, video conferencing, or others.
(You knew I’d get to that part of my blog post at some point!)
In sum: Today’s compliance department is already equipped professionally — and can be equipped technologically — to meet yet another challenge in an ever-changing risk landscape.
Comments are closed for this article!