The use of contemporary business communication and collaboration tools including chat and instant messaging applications has resulted in a potential recordkeeping compliance gap where there is a legal requirement to retain business records. While in the past many organizations carved out these newer and less conventional forms of electronic business communications from their formal records retention practices, this approach has become increasingly less viable. Regulators have been responding with additional requirements and guidance for instant messaging, and the new reality of a large remote workforce during the COVID-19 pandemic has heightened the importance of this issue from a legal compliance and information governance perspective.
Notably, the US Justice Department has rolled back its prohibition on the use of ephemeral messaging in its FCPA Enforcement Policy, and now requires companies to set appropriate internal controls to ensure compliance with their legal obligations and retention policies. Regulators are also engaging their own tech solutions for investigative actions. The UK Serious Fraud Office has turned to artificial intelligence (AI) solutions to efficiently analyze vast amounts of digital evidence including emails and instant messages. These developments illustrate the double-edged sword of regulators accepting a common business practice that can also expose companies to potential liability if the technology employed is not properly governed and controlled.
In the financial services sector, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has stated that the recordkeeping required of financial advisers includes electronic messaging. Advisers should ensure that compliance includes proper retention of records in SMS messaging, instant messaging, and communications through other platforms. The US FINRA and SEC Rule 17a-4 requirements apply to written communications in electronic form. In Germany, after a pattern of prosecutorial investigations, the financial regulator BaFin explicitly required banks to store electronic chat records used to conduct business for ten years.
Barriers to Compliance with Retention Obligations in Instant Messaging
Generally, retention periods should be applied to communications based on their content, not their form. Classifying any record based on its content ensures that the proper legal obligations and risk calculations are applied. Most instant messages would not qualify as a business record based on their substantive content and intended purpose. However, for those that do, the matter of properly capturing instant messaging as business records within an organization’s conventional records retention program is clouded by legal, technological, and organizational complications.
In addition to the growing regulatory scrutiny, privacy considerations are increasingly a factor to be considered. Data protection authorities, particularly in GDPR jurisdictions, enforce the line between an employee’s private communications and the legitimate business records that may be implicated in these messages, a situation that can easily arise in the bring-your-own-device context. Special technical features in messaging platforms may undermine a company’s records management, including timed deletion (Signal), storage device restrictions (WhatsApp), or storage in perpetuity (Slack). Meanwhile, the convenience and usefulness of these platforms in the workplace may tempt employees to disregard records management protocols that companies try to implement. Even where a company has policies and procedures prohibiting the use of external systems or personal devices, lack of employee compliance with these policies may result in regulatory consequences, as was the case for a US registered broker-dealer sanctioned by the SEC for failure to preserve business-related text messages.
Recordkeeping Compliance Relies on IT Solutions and Retention Policies
Today, many companies are looking to address instant messages and other communications tools in their records management policies, especially since they are generally subject to discovery in litigation. While in the past, companies tried to prohibit or limit the use of these tools and applications in business communications, increasingly they are looking to impose rules to govern and control this data since it can no longer be restricted and contained.
IT solutions exist that, if planned in accordance with legal and best practice retention obligations, can facilitate compliance with existing regulations. Some archiving software captures otherwise ephemeral messages and folds them into email. It is important that the appropriate retention period is then applied to these records based on their content. Companies should ensure that instant messaging and similar communication records, once captured and stored, are neither retained in perpetuity nor inadvertently (or intentionally!) deleted. As the growing volume of messaging and range of communications platforms encourage automated solutions for records capture, it becomes increasingly important that clear retention protocols are associated with the implementation of IT solutions.
Carefully drafted retention policies and protocols ensure that all relevant electronic communications are properly retained or deleted in compliance with legal and business requirements. Information governance provides a studied approach to addressing recordkeeping requirements more holistically to cover a range of communications including instant messaging, and demonstrates to regulators that internal controls are sufficient to cover all potential records for which a company is responsible.