Closeup of a young woman sitting at a table in a cafe using a digital tablet

DOJ guidance: establishing governance over third-party messaging apps

Related topics

Steps to take now to enhance Information Governance programs.

In brief
  • The DOJ Criminal Division’s updated guidelines mark an expansion of regulatory interest in ephemeral and third-party messaging apps beyond financial services.
  • Many companies are starting to implement information governance programs to address the management of information risks.
  • Bringing together the collective knowledge of stakeholders enables companies to stay agile and adapt to changes in the technology and data landscape.

In the first of this three-part series, the EY Forensic & Integrity Services team explores the steps to take now, next and beyond to effectively address the U.S. Department of Justice (DOJ) guidance regarding ephemeral and third-party messaging apps while laying the foundation for a broader information governance program.

Download full article on DOJ guidance on ephemeral and third-party messaging apps: how to establish governance and drive compliance

Regulators are taking action after years of debate about the use of ephemeral and third-party messaging apps.


Navigating the risks created by ephemeral and third-party messaging apps in the workplace is top of mind for companies considering the heightened regulatory activity over the past year. The U.S. Securities and Exchange Commission (SEC)¹ and Commodity Futures Trading Commission (CFTC)² issued fines totaling more than $2.5b in 2022 and 2023 to companies for violations of record-keeping requirements stemming from use of third-party messaging applications. Regulatory scrutiny of these apps and the use of personal messaging to conduct business does not appear to be slowing down with the SEC’s ongoing focus on off-channel communications³ and the release of its 2023 examination priorities, which continue to emphasize the importance of record-keeping for electronic communications.⁴ The DOJ Criminal Division’s updated Evaluation of Corporate Compliance Programs (ECCP) guidelines, March 2023, marks an expansion of regulatory interest in ephemeral and third-party messaging apps beyond financial services, and includes long-awaited guidance on how a compliance program’s governance of employee use of personal devices and third-party messaging platforms and apps will be evaluated.


The DOJ put forth a series of questions aimed to guide prosecutors in their evaluation of a company’s guidance and controls. What is clear from the inquiries outlined in the ECCP is that implementing effective governance over this complicated ecosystem of devices, platforms and apps requires engaging stakeholders from across the organization, including compliance, risk management, legal/litigation, IT, information security, records and information management, privacy and more. The multifaceted nature of this issue should be a “lightbulb moment” for companies to rethink ad hoc and siloed approaches to manage and control their information moving forward.

As regulatory guidance and scrutiny on ephemeral and third-party messaging apps continues to evolve, companies are realizing that data and technology are no longer just an ‘IT’ issue.

Bring your own device (BYOD) programs and increasingly common remote/hybrid workplaces have introduced more than just “IT” risks. Compliance risks associated with data and technology also need to be identified, measured and mitigated. Many companies are starting to implement information governance programs to address the management of information risks that span domains, such as records and information management, legal processes, information security, data privacy and data governance. Bringing together the collective knowledge and expertise of these varied stakeholders enables companies to stay nimble and rapidly respond to changes in the evolving technology and data landscape in which they operate.

The diverse challenges posed by personal devices and third-party messaging applications illustrate the benefits of an information governance program. Information governance stakeholders can bring various perspectives and insights to the table, including:

  • Records and information management: distinguishing business records and communications that need to be retained (and for how long) from nonbusiness records that can be purged or deleted
  • Legal/litigation: determining approaches and considerations for complying with obligations to preserve information for regulatory or legal matters
  • Privacy: balancing company surveillance activities with evolving data privacy obligations
  • Business: determining business needs and related emerging technologies to enable the company to remain competitive
  • Information technology: identifying the technical capabilities of various platforms to support preservation, retention, deletion, and limitations or consideration for enabling different settings
  • Information security: understanding the potential for data loss and misuse for different technologies
  • Compliance: considering the relevant laws and regulations when implementing policies and how policies will be enforced

Steps to take Now, Next and Beyond

Ephemeral and third-party messaging apps pose unique challenges for companies, and traditional ways of identifying, managing and governing this technology may not be as effective due to the emerging nature of these risks, issues and the technology itself.

Now: Support proactive initiatives designed to drive compliance and reduce risk:

  • Assess current employee use of personal devices and third-party applications to identify potential risk areas or compliance violations.
  • Review, align and update policies and procedures (e.g., acceptable use, BYOD, records and information management, legal hold and preservation).
  • Evaluate technology to support compliance (e.g., enhanced functionality or tools that enable capture, retention and archival capabilities).
  • Train employees on information risks and new requirements and promote a culture of compliance.
  • Consider enterprise licenses for key communication and collaboration platforms that offer elevated control and compliance functionality.
  • Adapt a more agile mobile device management (MDM) program to address variable risks in employee populations.

Next: Prepare for reactive regulatory inquiries and investigations to enable timely and complete responses to regulators and courts:

  • Develop legal hold processes and train employees and IT system owners to enable timely preservation.
  • Leverage technology to issue, track, monitor and lift legal holds.
  • Identify and define key data sources that have frequently been subject to legal hold and collection.
  • Understand retention and disposition practices, including preservation and collection considerations.
  • Define forensic collection standards, processes and technologies, including appropriate data transfer and chain of custody protocols.
  • Evaluate forensic acquisition tools and techniques needed to collect information from nonstandard data sources.

Beyond: Establish an information governance program to manage information risks in an evolving business, technology and regulatory environment:

  • Socialize the value of a holistic information governance program across the organization to support an enhanced understanding of information risk and the benefits to mitigate fines and reputational risks associated with regulatory enforcement or other public incidents.
  • Establish a cross-functional governance structure and operating model.
  • Harmonize policies, standards and procedures across information risk domains to drive consistency in terminology and requirements.
  • Centralize information risk monitoring activities through standardized methodologies and reporting. structures.

Kymberli Shoemaker also contributed to this article.


The DOJ’s updates to the Evaluation of Corporate Compliance Programs note the continued focus and action by regulators when it comes to the use of ephemeral and third-party messaging apps. Establishing governance over these apps not only support effective practices, but also strengthen a company’s culture of compliance.

About this article

Related articles

DOJ’s new safe harbor policy encourages self-disclosure in M&A

A new DOJ safe harbor policy encourages companies to voluntarily self-disclose criminal conduct discovered at an entity acquired through M&A. Learn more.

13 Nov 2023 Katie Kyle

How recent DOJ activities signal importance of data analytics

A compliance analytics strategy and roadmap can help companies respond to increased guidance on the use of data. Learn more.

16 May 2023 Miles Ripley + 2