On December 1, 2022, the United States Department of Justice (DOJ) announced that it is formulating new guidance on how it will evaluate business use of personal devices and third-party messaging platforms. Acting Principal Deputy Assistant Attorney General Nicole Argentieri said in a speech that the DOJ is working with experts and other regulators to determine what guidance is warranted in this area.

Over the past few months, the DOJ has been especially focused on revising its processes for evaluating corporate compliance programs. On September 15, 2022, the DOJ announced revisions to its corporate criminal enforcement policy. Among other key changes, Deputy Attorney General Lisa Monaco announced that prosecutors will consider policies on personal device and third-party messaging platform use when evaluating the effectiveness of a corporation’s compliance program.

Personal Devices and Third-Party Messaging Platforms 

In the DOJ’s September announcement, Monaco stated that the “ubiquity of personal smartphones, tablets, laptops, and other devices poses significant corporate compliance risks.” Monaco emphasized that compliance policies must ensure that business-related communications and data are preserved. Similarly, Argentieri noted the importance of implementing appropriate guidance and controls governing the use of personal devices and messaging apps, so that the improper destruction or deletion of business records can be prevented. Argentieri stated that the DOJ will consider whether companies are continually assessing and revising their policies in these areas in order to comply with their legal obligations. Argentieri noted that the DOJ will release additional guidance in this area in the future.

In recent months, regulators have been cracking down on such business messaging. Since 2021, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have charged over a dozen large financial institutions with recordkeeping violations for failing to preserve business communications sent on platforms such as WhatsApp. The SEC and CFTC also found that the financial firms failed to enforce internal recordkeeping policies. In total, the SEC and CFTC fined the firms nearly $2 billion for these failures.

While companies should expect expanded guidance from the DOJ in these areas in the coming months, companies should proactively review their corporate compliance programs to determine the adequacy and effectiveness of their policies and procedures.