New DOJ Guidance Charts a Way Forward on Ephemeral Messaging

This month kicked off with an exciting development for informing corporate compliance programs, the release of an updated “Evaluation of Corporate Compliance Programs” document from the DOJ. Let’s look at a few interesting developments.

Guidance on ephemeral messaging

We were teased in a speech last year that some guidance on this subject was on the way, and that promise was followed through with a section in the updated guidance dedicated to this topic from Page 17 onwards. Hallelujah! I think control around the use of messaging apps for business communications is one of the greatest challenges compliance departments are facing at the moment, and this guidance is much appreciated.

The DOJ addresses bring your own device (BYOD) situations and expects us to have a solid understanding of the size of the universe of messaging apps and, perhaps most emphasized, policies to set expectations around usage of messaging applications.

It seems that a policy around care and control of business communications is the bare minimum standard expected. So after implementing a policy, helpfully informed by the questions in the guidance and our own business circumstances, what will we do about being able to enforce the policy in practice? I anticipate that will be particularly tricky in BYOD situations or when staff are assigned company phones but use their personal devices for business communications.

One way that companies can do this is to take strong action should they become aware of issues. An example we have already seen in this specific area is Morgan Stanley fining employees not-insubstantial amounts, over a million dollars in some cases, for failure to comply with the relevant policies. That seems like a pretty decent deterrent, but, then again, Morgan Stanley are already paragons of virtue in our space after their FCPA declination.

Three compliance program enhancements

Some compliance departments have been doing these initiatives for years, and the compliance folks responsible can give themselves a pat on the back for their prescient efforts to promote a culture of integrity throughout their organizations. Can you check off all three of these items?

Publicize disciplinary actions internally

This concept has been implemented at various organizations for the past eight or so years to my knowledge and, anecdotally, every company I have heard of that has done this has been pleased with the reaction from colleagues. One example I’m aware of is an organization that created an intranet page called “The Dark Alley” which contained sanitized investigations cases and high-level information about what happened and consequences for misconduct. The intranet page was so popular it became the second most viewed page on the company’s intranet site, with only the expense claim page getting more hits. 

I’ll be the first to say that some organizations can be a bit squeamish about airing their dirty laundry, even if it’s only internal. Implementing the initiative as described above is not for the faint-hearted executive management team. It may require gentle coaxing and starting off with something smaller, like taking one very serious case the organization wants to make an example of and having the CEO send a communication about a particular situation.

One organization I worked at previously did the one-off example, and it was very effective. The email arrived from the CEO on a Saturday morning, and it instantly grabbed my attention because it was not usual to receive a communication of that nature and especially not expected to see a company-wide email over the weekend. 

Compliance

Uncharted Waters: McDonald’s Case Ushers in New Era of C-Suite Accountability

by Bart M. Schwartz and Bonnie Jonas

March 1, 2023

A C-suite title on your business card doesn’t just come with a cushy corner office. Since January’s blockbuster Delaware Chancery Court decision regarding toxic behavior at McDonald’s, it could also mean that you’ll bear the same oversight duty traditionally reserved for members of the board of directors.

Read more

Consider executive/employee clawbacks

We haven’t seen this much so far in the anti-corruption space, but there was a high-profile example in light of the McDonald’s CEO’s misconduct in 2021, where the company clawed back $105 million upon the executive’s departure related to #metoo issues. (In October, the SEC adopted executive compensation clawback rules in relation to securities laws, expanding existing clawback rules, so there might be some new securities cases on the way very soon.) 

The Morgan Stanley example above, of fining staff members who fail to comply with company policies, whether they be ephemeral messaging systems or beyond, is arguably at least analogous to a clawback and may be an effective way for companies to keep colleagues in check.

Compliance champion network

Some traditions exist because they are so successful. Implementing compliance champion or ambassador programs is one of them. They help to spread the word about compliance, allow for increased reach and resourcing and are a scalable way to trickle centralized efforts throughout large, multinational organizations.

If you’ve not implemented one, the concept is fairly simple: Identify ethics-savvy and influential representatives throughout your business to assist with compliance initiatives. The ambassadors/champions typically receive some training from the compliance department. Take a listen to Beth Colling’s Great Women in Compliance episode to learn more about how you can level-up a champions program and be on the lookout for Matt Silverman’s book to be released later this year, “The Champions Network: A Blueprint to Expand Your influence and Spread Big Ideas in Any Organization” to drill down into the details and gain inspiration and actionable ideas for your own compliance champion network.