The ubiquity of off-network messaging applications presents a major challenge for legal and compliance functions. While offering convenience and immediacy, these platforms operate largely outside traditional corporate IT infrastructure, creating substantial risks related to recordkeeping, regulatory supervision, data security, legal discovery and the potential for unmonitored misconduct. Regulatory and enforcement authorities globally, particularly those overseeing financial services, have intensified their scrutiny of off-network messaging use for business communications, highlighting the severe consequences of non-compliance.

The risks associated with unmonitored off-network communications are not theoretical, but have crystallized into significant financial and reputational consequences for numerous organizations. Since late 2021, US regulators, led by the United States Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC), have launched sweeping enforcement initiatives targeting widespread failures by broker-dealers and investment advisors to preserve business-related communications conducted on personal devices and off-network messaging platforms. These enforcement actions have resulted in large penalties, exceeding US$2.5 billion in total fines levied against over 100 firms as of early 2025.

Individual penalties have often reached tens or even hundreds of millions of dollars. Investigations consistently revealed that employees, including senior managers and executives, routinely used text messages and apps for substantive business discussions, violating critical recordkeeping rules such as Rule 17a-4 of the Securities Exchange Act of 1934.

While self-reporting and cooperation have occasionally resulted in reduced penalties, the baseline fines remain substantial, underscoring the regulators' insistence on robust recordkeeping practices regardless of the communication channel used.

The UK's FCA has thus far adopted a less punitive approach, focusing on clarifying expectations under existing rules and issuing information requests to selected institutions rather than imposing SEC-scale fines. Nonetheless, a number of UK firms have taken their own actions against staff found to be using personal instant messaging systems.

It is clear that, globally, regulations are moving toward emphasizing heightened scrutiny of off-channel communications, putting pressure on firms everywhere to proactively address these gaps.

Similarly, the US DOJ has made clear that prosecutors assessing corporate compliance programs should consider a company's policies and procedures governing the use of off-network messaging applications, which should be tailored to the company's business needs and ensure to the greatest extent possible that business communications are accessible and can be reviewed by the company. Recent DOJ enforcement actions also underscore the DOJ's expectations regarding companies' review and production of communications stored in off-network messaging applications; indeed, the companies that have maximized cooperation credit under the revised CEP reviewed and produced to the DOJ communications from off-network messaging applications.

View full image: Is your organization regulated by a governmental authority regarding the use of off-network messaging application (PDF)

View full image: Does your organization have a “bring-your-own-device” policy? (PDF)

View full image: Does your organization permit employees to use their personal devices for business purposes? (PDF)

Regulatory landscape and foundational device policies

Direct regulatory mandates governing the use of off-network messaging applications for all business types are not yet universal. Indeed, half of survey respondents indicate they do not work for organizations directly regulated by a governmental authority concerning off-network messaging usage specifically. This finding suggests that, while sectors such as finance face explicit rules, many other industries operate under broader recordkeeping guidelines or have regulations governing conduct that off-network messaging use might implicitly violate, rather than specific off-network messaging directives.

The foundation for controlling off-network messaging often starts with policies governing the devices that employees use. Formal "bring-your-own-device" (BYOD) policies are not consistently established, however, with 53 percent of respondents reporting they do not have such a policy. But there is a striking difference between business types: While only 34 percent of corporate respondents have a global BYOD policy, this figure jumps to 90 percent among private equity firms, likely reflecting divergent operational priorities, IT environments and workforce compositions.

Even without a formal BYOD policy, the question remains whether employees are permitted to use personal devices for work. More than half (54 percent) of respondents do not permit employees to use their personal devices for business purposes. This restriction is more common among larger organizations; a little over a quarter (26 percent) of the highest revenue-generating respondents allow personal device use for business, compared with 45 percent of the lowest revenue-generating respondents.

Again, a stark contrast exists between corporate respondents and private equity firm respondents, with only 35 percent of corporates allowing personal device use for business compared with 90 percent of private equity firms. This disparity suggests private equity firms operate with significantly different technology and communication norms compared with traditional corporate environments. Prohibiting personal device use entirely is one strategy to mitigate off-network messaging risks, as it theoretically keeps business communications contained within company-managed systems, although enforcing such prohibitions can be challenging and perhaps impractical.

Does your organization have a written policy governing employee use of off-network messaging applications? (PDF)

View full image: Does your organization permit employees to use off-network messaging applications for business communications? (PDF)

Governing the use of off-network messaging applications

Recognizing the ubiquity of personal device usage with third-party communication apps installed, many organizations attempt to control off-network messaging use through specific policies, regardless of device ownership. A majority (63 percent) of respondents report having a written policy governing employee use of off-network messaging apps. Policy adoption is more prevalent among respondents facing greater public scrutiny or possessing more resources: 72 percent of publicly listed respondents have a policy compared with 50 percent of non-listed respondents and 79 percent of the highest-revenue-generating respondents have one versus 54 percent of the lowest.

Despite the prevalence of policies, the dominant approach by respondents is prohibition or significant restriction of off-network messaging use. A majority (58 percent) of respondents do not permit employees to use off-network messaging apps for business communications. Private company respondents are more likely to allow off-network messaging use for business globally (47 percent) compared with publicly listed company respondents (27 percent). Similarly, lower-revenue respondents are far more permissive (45 percent allow) than the highest-revenue respondents, where only 9 percent permit off-network messaging use for business communications globally. The corporate versus private equity split is also pronounced, with 70 percent of private equity firm respondents allowing off-network messaging use for business compared with only 36 percent of corporates. This pattern suggests that larger, public corporations facing greater regulatory pressure and possessing more established communication infrastructure tend to adopt a much more conservative position toward off-network messaging risks.

View full image: How limited is the permitted use of off-network messaging applications?*(PDF)

Managing permitted use: Limitations, back-ups and tech hurdles

For the respondents (39 percent) that do permit off-network messaging use for business communications, restrictions are common. Over half (51 percent) of respondents that allow usage limit it strictly to non-substantive scheduling or logistical communications as an attempt to keep official business records off these platforms while acknowledging their convenience for quick coordination.

A critical challenge is record retention. Off-network messaging data typically resides outside corporate IT infrastructure, making preservation difficult. To address this reality, among respondents allowing off-network messaging usage, 72 percent require employees to actively back up or manually save any off-network business messages. This approach, however, relies heavily on employees to be diligent and may not meet regulatory and/or corporate expectations for completeness and reliability. Private equity firms appear to be more strict on off-network procedures, with 60 percent—compared with 28 percent of corporates—requiring employees to use an enterprise-wide off-network messaging application as well as backing up/manually saving any off-network messages.

Addressing the technical challenge of capturing off-network messaging data is also a major hurdle. While the market offers potential solutions, none is without drawbacks. Some platforms provide enterprise versions with built-in archiving, but these solutions often do not cover popular external apps. Third-party archiving vendors offer specialized tools, but implementation can be complex and costly. 

End-to-end encryption poses a significant barrier to access and preservation, often requiring capture on the device itself, which is difficult to achieve reliably, especially under BYOD scenarios, and requires employee cooperation that, depending on the circumstances, may not be forthcoming. Frequent app updates can break integrations, requiring constant maintenance. Employee privacy concerns are also paramount, particularly with personal devices. The manual alternative—requiring employee screenshots to track their activity—is fundamentally unreliable, lacks metadata, cannot be easily authenticated and fails to meet robust recordkeeping standards. 

Ephemeral messaging dilemma

Ephemeral messaging features (causing messages to disappear after they are read) pose an even greater challenge. Recognizing this heightened risk, nearly half (48 percent) of all respondents expressly prohibit the use of ephemeral messaging applications for business purposes. This prohibition is significantly more common among organizations under greater regulatory scrutiny: 58 percent of publicly listed respondents ban ephemeral messaging compared with 33 percent of private organizations, and 67 percent of the highest-revenue-generating respondents impose a ban compared with 39 percent of the lowest. For financial firms, where communications can constitute trade instructions, client advice or other regulated activities, the inability to retain ephemeral messages creates unacceptable compliance gaps.

Disappearing messages are generally incompatible with recordkeeping obligations and investigation needs. Furthermore, the intentional use of ephemeral messaging after a duty to preserve legal or regulatory information arises can lead to severe consequences, including allegations of obstruction or evidence tampering—risks that financial institutions and others are keen to avoid given the potential for substantial fines and reputational damage.

View full image: Does your organization expressly prohibit the use of ephemeral (disappearing) messaging applications? (PDF)

Investigations and data collection: A significant gap 

The true test of off-network messaging controls often arises during internal investigations or inquiries by enforcement authorities. Three quarters of respondents report, however, that they did not collect any business communications from off-network messaging apps in connection with investigations over the past 12 months. This finding points to significant technical and practical hurdles, including privacy concerns and the need for employee cooperation. The disparity between high-revenue respondents (39 percent collected off-network messaging data) and low-revenue respondents (5 percent collected) suggests resources and regulatory impetus influence collection efforts.

For 17 percent of respondents that did collect off-network messaging data, the methods employed highlight the lack of sophisticated strategies. The dominant approach, used by 69 percent of collectors, involved manual processes: employee interviews combined with manual searches and screenshots on the employee's device. This method is labor-intensive, prone to incompleteness, difficult to authenticate forensically and highly dependent on employee cooperation.

This inability to capture effectively and produce off-network messaging data carries significant legal risks beyond regulatory fines. In litigation, the failure to preserve relevant electronically stored information (ESI) may constitute spoliation, potentially leading to court sanctions, adverse inference instructions (telling a jury to assume missing evidence was harmful), or even dismissal of claims. 

Collecting data forensically from personal devices is also far more complex than from corporate systems, potentially impacting admissibility. The inability to produce relevant communications from these off-channel sources can critically undermine an organization's legal defense or its ability to respond comprehensively to external inquiries.

View full image: Does your organization expressly prohibit the use of ephemeral (disappearing) messaging applications? (PDF)

View full image: How has your organization collected business communications from off-network messaging applications?* (PDF)

Making policies stick 

The widespread use of off-network messaging apps continues to present a major compliance challenge. While a majority of respondents have implemented written policies, the prevailing approach leans toward prohibition or severe restriction on off-network messaging use, especially in larger, public corporations. Ensuring adequate recordkeeping remains a challenge, often relying on imperfect manual employee backups, while ephemeral messaging is frequently banned outright.

Perhaps most critically, the gap between the reality of off-network messaging usage and the ability of most organizations to effectively monitor, retain and retrieve relevant business communications persists. This gap poses significant ongoing compliance risks. Addressing this challenge requires more than written policies. Effective implementation demands clear communication of expectations and consequences, regular tailored training, consistent enforcement applied at all levels (including senior management, whose conduct was frequently cited in enforcement actions) and providing viable approved communication alternatives. 

Fostering a culture where employees understand the risks and prioritize approved channels for substantive business is a must. While technology solutions are evolving, they present challenges related to encryption, privacy and cost. Until these challenges are addressed, mitigating off-network messaging risk requires a multi-pronged approach that combines policy, training, technology where feasible and strong cultural reinforcement.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}