Our bank has an internal messaging platform that is used for internal communications only. We currently archive these messages, but the platform is predominantly used for non-business-related communications. We would like to turn off the archiving feature so that the messages are automatically deleted. We also would train our employees not to use the messaging platform for any business-related communications. Is there any guidance on the deletion of employee instant messages?

Yes, guidance issued by the OCC in 2016 discourages the permanent deletion of messages transmitted over internal chat and messaging platforms.

The guidance reminds OCC-supervised banks that the use of chat and messaging platforms that allow for the permanent deletion of transmitted messages “conflicts with OCC expectations of sound governance, compliance, and risk management practices as well as safety and soundness principles,” particularly if the deletion occurs “within a relatively short time frame.” The OCC also noted that “[[b][/b]b]ank management must ensure that its adoption of any communications technology continues to allow for examiner access to appropriate bank records.”

While your bank’s primary federal regulator is the FDIC, we believe that FDIC examiners also may find that enabling an auto-delete function on an internal messaging platform impedes their ability to thoroughly examine your bank’s records. Although you may advise your examiners that your bank’s policy forbids the use of the messaging platform for any business-related communications, your examiners would not be able to verify adherence to this policy if all such messages are automatically deleted.

For resources related to our guidance, please see:

  • OCC Bulletin 2016-13, Guidance for Banks’ Maintenance of Records, Records Retention, and Examiner Access (April 27, 2016) (“Certain available communications technology contains data deletion and encryption features that can be used to prevent or impede OCC access to a bank’s books and records. For example, the OCC is aware that some chat and messaging platforms have touted an ability to ‘guarantee’ the deletion of transmitted messages. The permanent deletion of internal communications, especially if occurring within a relatively short time frame, conflicts with OCC expectations of sound governance, compliance, and risk management practices as well as safety and soundness principles.”)
  • OCC Bulletin 2016-13, Guidance for Banks’ Maintenance of Records, Records Retention, and Examiner Access (April 27, 2016) (“Bank management must ensure that its adoption of any communications technology continues to allow for examiner access to appropriate bank records. Record retention practices that are consistent with OCC expectations will enhance effective oversight by banks’ compliance and internal audit functions as well as comply with established governance, compliance, and risk management practices.”)
  • Federal Deposit Insurance Act, 12 USC 1820(b)(2)(A) (“Any examiner appointed under paragraph (1) shall have power, on behalf of the Corporation, to examine . . . any insured State nonmember bank or insured State branch of any foreign bank; . . .”)
     
  • Federal Deposit Insurance Act, 12 USC 1820(b)(6)(A) (“Each examiner appointed under paragraph (1) shall . . . have power to make a thorough examination of any insured depository institution or affiliate under paragraph (2), (3), (4), or (5); . . .”)