Navigating the DOJ ECCP Update: A Focus on Communications Compliance

Those of us in the financial services community know quite a bit about communications compliance. However, the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (ECCP) introduces a distinctive facet of compliance practices for corporations.

The ECCP is designed to guide DOJ prosecutors in evaluating the effectiveness of a corporation's compliance program when conducting investigations, deciding whether to bring forth charges, or negotiating agreements with corporations. These guidelines are relevant to a wide range of corporations — including those in the financial services industry — and are intended to ensure that corporations follow the law and have adequate compliance measures in place to prevent misconduct.

The DOJ states they make reasonable, individualized determinations for each case and considers a lot of elements, such as the size of the company, what industry it's in, and where it operates. Based on all this, they ask three big questions:

• Is the company's compliance program well thought out? In other words, does it cover all the important rules and make sense?
• Is the program being put into action seriously and with enough resources? This means the company needs to invest enough time and money in it for it to work well.
• Does the program actually work in real life? It's not enough to just have it on paper; it needs to be effective when the company is doing its day-to-day business.

The March 2023 updates placed a particular emphasis on communications policy structures. Here are a few of my key takeaways from the revised ECCP, with a special focus on what this means for corporations and financial institutions.

DOJ’s ECCP implications for corporations

Preserve and access data: Corporations should thoroughly review their policies regarding the use of personal devices, messaging platforms, and ephemeral messaging apps for business communications — including Microsoft Teams, WhatsApp, Snapchat and Signal. It's imperative to ensure that communications data can be preserved and accessed when necessary for internal or government investigations.

Tailoring policies: One-size-fits-all compliance policies are no longer sufficient. Companies should tailor their communication policies to their specific business needs and risks. For higher-risk communications, additional controls and scrutiny would be warranted. Companies should regularly assess if updates are needed to their policies and procedures based on their own risk as well as what can be learned from other companies.

Training and enforcement: Communication policies must not exist merely on paper. They should be communicated effectively through training programs, monitored for compliance, and consistently enforced. Misconduct should result in appropriate disciplinary measures. Companies should make sure that “key gatekeepers” in the review process are adequately trained to spot misconduct.

BYOD programs: With the widespread adoption of bring-your-own-device (BYOD) programs, companies need to maximize their legal ability to access corporate data on personal devices. Effective policies should be established to regulate the preservation and access of corporate data and business communications stored on personal devices. This must be balanced with respecting employee privacy and the constraints of the law.

Regular assessments: Regular audits should assess whether data can be accessed for internal or government investigations. Consider implementing testing procedures that include how the company manages and monitors email communications, messaging applications, and any other communication tools — and the effectiveness of these controls — to detect misconduct. If risks warrant it, companies should enhance their controls.

DOJ’s ECCP implications for financial institutions

Financial institutions already operate under significant compliance obligations due to regulations related to communications monitoring and retention. However, there are still key takeaways for firms and advisers.

Expanded expectations: The DOJ's revised guidance extends its expectation regarding the access to personal device data and messaging platforms, regardless of whether such access is subject to existing regulatory oversight.

Review controls: Financial institutions should conduct a thorough reassessment of their control measures pertaining to communication tools such as WhatsApp or WeChat, which, for various reasons, were previously considered beyond the purview of regulatory scrutiny despite their potential use for business purposes.

Risk assessment: Conduct risk assessments to determine if additional access and retention of communications data are needed based on specific risks beyond regulatory minimums.

Balancing requirements: Financial institutions should strike a balance between regulatory requirements for data retention and the DOJ's expectations for access to personal communications.

Fostering compliance: It's essential for financial institutions to foster compliance with both regulatory obligations and DOJ standards through training, monitoring, and enforcement policies.

The updated ECCP guidance from the DOJ represents a significant shift in expectations for corporate compliance programs, particularly in the areas of communications policies structures. While financial institutions already have robust compliance regimes, the DOJ's guidance expands obligations around communications. This shift carries significant implications for corporations and financial institutions alike.

FEATURED SESSION

Evolution of Financial Services Investigations and Security in the Data-Driven Era

On-Demand Webinar

WATCH NOW

Share this post!

• Author
• Recent Posts

Tiffany Magri

Senior Regulatory Advisor at Smarsh

As a Regulatory Advisor at Smarsh, Tiffany Magri monitors, evaluates and consults on the financial services regulatory landscape. Tiffany has more than 10 years of experience facilitating compliance with laws and regulations, policies, and risk management. Prior to joining Smarsh, Tiffany was a Senior Associate at Benefit Street Partners and a Compliance Analyst at Broadstone and Manning & Napier Advisors.

Latest posts by Tiffany Magri (see all)

• From Hypothetical Performance to Real Consequences: SEC’s Message to Advisers - April 15, 2024
• Navigating the SEC’s Expanded Dealer Definition - March 6, 2024
• Digital Communication Preservation: Highlights of the DOJ and FTC’s Imperative Guidance - February 27, 2024

Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.