Industry Insight

Navigating the DOJ ECCP Update: A Focus on Communications Compliance

October 26, 2023by Tiffany Magri

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Those of us in the financial services community know quite a bit about communications compliance. However, the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (ECCP) introduces a distinctive facet of compliance practices for corporations.

The ECCP is designed to guide DOJ prosecutors in evaluating the effectiveness of a corporation's compliance program when conducting investigations, deciding whether to bring forth charges, or negotiating agreements with corporations. These guidelines are relevant to a wide range of corporations — including those in the financial services industry — and are intended to ensure that corporations follow the law and have adequate compliance measures in place to prevent misconduct.

The DOJ states they make reasonable, individualized determinations for each case and considers a lot of elements, such as the size of the company, what industry it's in, and where it operates. Based on all this, they ask three big questions:

 

  • Is the company's compliance program well thought out? In other words, does it cover all the important rules and make sense?
  • Is the program being put into action seriously and with enough resources? This means the company needs to invest enough time and money in it for it to work well.
  • Does the program actually work in real life? It's not enough to just have it on paper; it needs to be effective when the company is doing its day-to-day business.

 

The March 2023 updates placed a particular emphasis on communications policy structures. Here are a few of my key takeaways from the revised ECCP, with a special focus on what this means for corporations and financial institutions.

DOJ’s ECCP implications for corporations

Preserve and access data: Corporations should thoroughly review their policies regarding the use of personal devices, messaging platforms, and ephemeral messaging apps for business communications — including Microsoft Teams, WhatsApp, Snapchat and Signal. It's imperative to ensure that communications data can be preserved and accessed when necessary for internal or government investigations.

Tailoring policies: One-size-fits-all compliance policies are no longer sufficient. Companies should tailor their communication policies to their specific business needs and risks. For higher-risk communications, additional controls and scrutiny would be warranted. Companies should regularly assess if updates are needed to their policies and procedures based on their own risk as well as what can be learned from other companies.

Training and enforcement: Communication policies must not exist merely on paper. They should be communicated effectively through training programs, monitored for compliance, and consistently enforced. Misconduct should result in appropriate disciplinary measures. Companies should make sure that “key gatekeepers” in the review process are adequately trained to spot misconduct.

BYOD programs: With the widespread adoption of bring-your-own-device (BYOD) programs, companies need to maximize their legal ability to access corporate data on personal devices. Effective policies should be established to regulate the preservation and access of corporate data and business communications stored on personal devices. This must be balanced with respecting employee privacy and the constraints of the law.

Regular assessments: Regular audits should assess whether data can be accessed for internal or government investigations. Consider implementing testing procedures that include how the company manages and monitors email communications, messaging applications, and any other communication tools — and the effectiveness of these controls — to detect misconduct. If risks warrant it, companies should enhance their controls.

DOJ’s ECCP implications for financial institutions

Financial institutions already operate under significant compliance obligations due to regulations related to communications monitoring and retention. However, there are still key takeaways for firms and advisers.

Expanded expectations: The DOJ's revised guidance extends its expectation regarding the access to personal device data and messaging platforms, regardless of whether such access is subject to existing regulatory oversight.

Review controls: Financial institutions should conduct a thorough reassessment of their control measures pertaining to communication tools such as WhatsApp or WeChat, which, for various reasons, were previously considered beyond the purview of regulatory scrutiny despite their potential use for business purposes.

Risk assessment: Conduct risk assessments to determine if additional access and retention of communications data are needed based on specific risks beyond regulatory minimums.

Balancing requirements: Financial institutions should strike a balance between regulatory requirements for data retention and the DOJ's expectations for access to personal communications.

Fostering compliance: It's essential for financial institutions to foster compliance with both regulatory obligations and DOJ standards through training, monitoring, and enforcement policies.

The updated ECCP guidance from the DOJ represents a significant shift in expectations for corporate compliance programs, particularly in the areas of communications policies structures. While financial institutions already have robust compliance regimes, the DOJ's guidance expands obligations around communications. This shift carries significant implications for corporations and financial institutions alike.

Share this post!

Tiffany Magri
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Contact Us

Tell us about yourself, and we’ll be in touch right away.