Compliance Considerations for Ephemeral Messaging

Written by Jim trovato, senior consultant at Spark Compliance

Follow jim on LinkedIn

Ever since the DOJ updated its Evaluation of Corporate Compliance Programs guidance in March of 2023, ephemeral messaging has become a potent concern for compliance officers, corporate leadership, and boards of directors. New sections within the guidance focused squarely on the issue.

It’s no wonder the DOJ is so interested. The trove of information and potential evidence being deleted can cause serious problems in corporate prosecutions. However, enormous headaches are caused by trying to manage ephemeral messaging across corporations.

What are Ephemeral Messaging Apps?

Ephemeral Messaging Apps (EMA’s), also known as self-destructing messaging, are a type of messaging software that automatically erases conversation history between users. They offer users the ability to send self-destructing messages that automatically disappear from recipients’ conversation histories. 

Messages are permanently deleted and can no longer be accessed, read, or otherwise preserved, screenshot, or shared by the sender or the recipient. In some messaging applications, particularly those integrated with social media platforms (for example, Facebook Messenger, Instagram, WhatsApp, and WeChat), individual users can opt into functionality that makes their messages automatically disappear after a set period or after the message is read.

These applications are proliferating rapidly and are helping to reshape the landscape of digital communications. Users love them and are flocking to them in droves. By design, both the consumer and business versions of EMAs generally provide (among many other features) end-to-end encryption, screenshot protection, and automatic content deletion from all devices. 

Challenges for companies

There are some implications for enterprises as they attempt to balance the use of these applications by their staff as it relates to business communications with the need to maintain and appropriately preserve business records to meet applicable regulatory requirements.

Companies would serve themselves and their stakeholders well by making inquiries into how their employees and customers communicate. They can use this information to develop document retention and search capabilities that take those realities into account.


Regulatory responses to EMAs

The SEC, DOJ, and other agencies have all made it clear in the past that whatever form business communications take, companies have an obligation to monitor and preserve them.

In 2017, as ephemeral messaging applications grew in popularity, the DOJ revised its Foreign Corrupt Practices Act (“FCPA”) Corporate Enforcement Policy to provide that companies seeking “full credit for timely and appropriate remediation” would need to “prohibit employees from using software that generates but does not appropriately retain business records or communications.” 

The DOJ’s 2019 revisions to its Justice Manual indicated that companies should “implement appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms.”

In March 2023, the Assistant Attorney General issued new guidance regarding DOJ’s Corporate Enforcement Policy, as set forth in Evaluation of Corporate Compliance Programs (ECCP), including how they will consider a corporation’s approach to the use of personal devices as well as various communications platforms and messaging applications and highlighted again the importance of monitoring and managing the use of personal devices and associated messaging applications by their staff:

“Under the revised ECCP, we will consider how policies governing these messaging applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate, business-related electronic data and communications can be preserved and accessed. Our prosecutors will also consider how companies communicate the policies to employees, and whether they enforce them on a consistent basis.”

 Under this new guidance, employee use of ephemeral messaging for business purposes is not an absolute bar to declination. But the spirit of the policy remains that companies should counsel their employees to avoid use of ephemeral messaging in the business context, and that business discussions should fundamentally occur via traditional platforms that archive communications for compliance purposes in accessible and searchable formats.

Questions for corporate compliance officers

There are several questions that corporate compliance teams should be asking when assessing their current risk posture regarding employee use of these applications. 

The first of which should be whether any existing policies and procedures address the use of these applications.  Companies that have existing Bring Your Own Device (BYOD) and Records Management policies in place should review those to ensure that the use of EMA’s is clearly documented.

Another key question is whether there is any existing corporate IT infrastructure in place to provide similar capabilities (e.g., MS Teams), with the appropriate surveillance capabilities that would be required to respond to regulatory or litigation requests for communications. 

If so, does the company communicate both the policy content as well as the need to leverage the corporate communications infrastructure rather than those that are generally available to the employees but not authorized by the company.

Best practices for policies and procedures

To best ensure that a company has minimal risk regarding ephemeral communications, the best practice is for a company to have clear policies and procedure in place that:

  • Clearly define business communications.

  • Ensure that the policy and associated procedures are understood by employees.

  • Provide authorized and supported capabilities that will allow employees to effectively conduct business communications with external parties.

  • Prohibit employees from using unauthorized EMA’s to conduct such communications.

  • Have IT capabilities in place that ensure all business-related conversations are retained in a secure and retrievable format and for the required timeframe (and then securely deleted when the retention period has elapsed, with a defined process to manage exceptions for legal holds) in the event of a regulatory inquiry or litigation.

Corporations with robust compliance programs should have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications, should provide clear training to employees about such policies, and should enforce such policies when violations are identified. These things should be put in place now, not when the DOJ is at the door.


Jim Trovato can be reached at jtrovato@sparkcompliance.com.