The rise of digital communication tools has transformed how employees interact within organizations. However, with the convenience of third-party apps like WhatsApp, WeChat and personal text messages comes significant compliance risks. Off-channel communications—those that occur outside of approved corporate systems—can pose a considerable challenge for regulatory compliance, data security and overall business integrity. This article delves into the complexities of off-channel communications, exploring employee behaviors, storage of communications, and strategies for in-house counsel and compliance/risk professionals to consider in addressing this pervasive issue.
The Problem: Employees Are Using Third-Party Communication Channels to Conduct Business
Off-channel communications refer to the use of unauthorized or unmonitored platforms for business-related communications. Despite policies dictating the use of corporate communication tools, employees often resort to personal messaging apps for various reasons, including convenience, speed and familiarity. This can expose organizations to significant risks, including:
- Regulatory Noncompliance: Regulatory bodies including the SEC, CFTC, HHS, FDA, FCC, FTC, FERC, NERC, and others mandate that companies maintain comprehensive records of business-related communications. Failure to do so can result in hefty fines and legal penalties. (See, e.g., Press Release, U.S. Securities and Exchange Commission, Sixteen Firms to Pay More than $81 Million Combined to Settle Charges for Widespread Recordkeeping Failures (Feb. 9, 2024), https://www.sec.gov/newsroom/press-releases/2024-18; Release No. 8599-22, Commodity Futures Trading Commission, CFTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods (Sept. 27, 2022), https://www.cftc.gov/PressRoom/PressReleases/8599-22).
- Data Security Threats: Using unmonitored platforms increases the risk of data breaches. Sensitive business information may be exposed to unauthorized access, leading to potential data loss or theft.
- Reputational Damage: Noncompliance and data breaches can significantly damage an organization’s reputation, eroding trust with clients, partners, and stakeholders.
- Operational Inefficiencies: Managing multiple communication channels without a centralized system can lead to inefficiencies and hinder effective communication within the organization. It can also impact completeness and timeliness in responding to a document request or subpoena.