Those of us in the financial services community know quite a bit about communications compliance. However, the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (ECCP) introduces a distinctive facet of compliance practices for corporations.
The ECCP is designed to guide DOJ prosecutors in evaluating the effectiveness of a corporation’s compliance program when conducting investigations, deciding whether to bring forth charges, or negotiating agreements with corporations. These guidelines are relevant to a wide range of corporations — including those in the financial services industry — and are intended to ensure that corporations follow the law and have adequate compliance measures in place to prevent misconduct.
The DOJ states they make reasonable, individualized determinations for each case and considers a lot of elements, such as the size of the company, what industry it’s in, and where it operates. Based on all this, they ask three big questions:
- Is the company’s compliance program well thought out? In other words, does it cover all the important rules and make sense?
- Is the program being put into action seriously and with enough resources? This means the company needs to invest enough time and money in it for it to work well.
- Does the program actually work in real life? It’s not enough to just have it on paper; it needs to be effective when the company is doing its day-to-day business.
The March 2023 updates placed a particular emphasis on communications policy structures. Here are a few of my key takeaways from the revised ECCP, with a special focus on what this means for corporations and financial institutions.
DOJ’s ECCP implications for corporations
- Preserve and access data: Corporations should thoroughly review their policies regarding the use of personal devices, messaging platforms, and ephemeral messaging apps for business communications — including Microsoft Teams, WhatsApp, Snapchat and Signal. It’s imperative to ensure that communications data can be preserved and accessed when necessary for internal or government investigations.
- Tailoring policies:One-size-fits-all compliance policies are no longer sufficient. Companies should tailor their communication policies to their specific business needs and risks. For higher-risk communications, additional controls and scrutiny would be warranted. Companies should regularly assess if updates are needed to their policies and procedures based on their own risk as well as what can be learned from other companies.
- Training and enforcement:Communication policies must not exist merely on paper. They should be communicated effectively through training programs, monitored for compliance, and consistently enforced. Misconduct should result in appropriate disciplinary measures. Companies should make sure that “key gatekeepers” in the review process are adequately trained to spot misconduct.
- BYOD programs:With the widespread adoption of bring-your-own-device (BYOD) programs, companies need to maximize their legal ability to access corporate data on personal devices. Effective policies should be established to regulate the preservation and access of corporate data and business communications stored on personal devices. This must be balanced with respecting employee privacy and the constraints of the law.
- Regular assessments:Regular audits should assess whether data can be accessed for internal or government investigations. Consider implementing testing procedures that include how the company manages and monitors email communications, messaging applications, and any other communication tools — and the effectiveness of these controls — to detect misconduct. If risks warrant it, companies should enhance their controls.
DOJ’s ECCP implications for financial institutions
Financial institutions already operate under significant compliance obligations due to regulations related to communications monitoring and retention. However, there are still key takeaways for firms and advisers.
- Expanded expectations: The DOJ’s revised guidance extends its expectation regarding the access to personal device data and messaging platforms, regardless of whether such access is subject to existing regulatory oversight.
- Review controls: Financial institutions should conduct a thorough reassessment of their control measures pertaining to communication tools such as WhatsApp or WeChat, which, for various reasons, were previously considered beyond the purview of regulatory scrutiny despite their potential use for business purposes.
- Risk assessment: Conduct risk assessments to determine if additional access and retention of communications data are needed based on specific risks beyond regulatory minimums.
- Balancing requirements: Financial institutions should strike a balance between regulatory requirements for data retention and the DOJ’s expectations for access to personal communications.
- Fostering compliance: It’s essential for financial institutions to foster compliance with both regulatory obligations and DOJ standards through training, monitoring, and enforcement policies.
The updated ECCP guidance from the DOJ represents a significant shift in expectations for corporate compliance programs, particularly in the areas of communications policies structures. While financial institutions already have robust compliance regimes, the DOJ’s guidance expands obligations around communications. This shift carries significant implications for corporations and financial institutions alike.
About the author:
As a Regulatory Advisor at Smarsh, Tiffany monitors, evaluates and consults on the financial services regulatory landscape. Tiffany has more than 10 years of experience facilitating compliance with laws and regulations, policies, and risk management. Prior to joining Smarsh, Tiffany was a Senior Associate at Benefit Street Partners and a Compliance Analyst at Broadstone and Manning & Napier Advisors.
Smarsh® is the recognized global leader in electronic communications archiving solutions for regulated organizations. Smarsh provides innovative capture, archiving, e-discovery, and supervision solutions across the industry’s widest breadth of communication channels.
Scalable for organizations of all sizes, the Smarsh platform provides customers with compliance built on confidence. It enables them to strategically future-proof as new communication channels are adopted, and to realize more insight and value from the data in their archive. Customers strengthen their compliance and e-discovery initiatives and benefit from the productive use of email, social media, mobile/text messaging, instant messaging and collaboration, web, and voice channels.
Smarsh serves a global client base that spans the top banks in North America and Europe, along with leading brokerage firms, insurers, and registered investment advisors. Smarsh also enables state and local government agencies to meet their public records and e-discovery requirements. For more information, visit www.smarsh.com.
Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.
Need A Regulatory Marketing Compliance Consultant? A Bit More About Us
Why Not Download our FREE Brochures! Click here.
Call Us Today on 020 8087 2377 or send us an email.
We welcome individual bloggers / Professional Writers / Freelancers to submit high quality contents. Find out more…
Connect with us via social media and drop us a message from there. We’d love to hear from you and discuss how we can help.