1. The original Policy
The Policy, which was announced in November 2017, aimed to provide guidance to corporations on the definition of full cooperation with the DOJ in FCPA matters, and the benefits that could follow from such cooperation. Under the 2017 Policy, corporations that satisfied the defined standards of “voluntarily self-disclosure, full cooperation, and timely and appropriate remediation” would be afforded a presumption that FCPA matters would be resolved through a declination, absent aggravating circumstances involving the seriousness of the offense or the nature of the offender.
Further, in order to show that it had undertaken timely and appropriate remediation, a corporation had to demonstrate that it had appropriately retained business records, including by “prohibiting employees from using software that generates but does not appropriately retain” business communications.
The broad prohibition seemed to cover employees’ use of mobile messaging apps. Such apps, which include WhatsApp and WeChat, are commonly used in many major markets for business communications. For example, WeChat is regularly used by employees in China, and in certain instances to the exclusion or neglect of corporate email accounts.
This Policy, however, left unanswered a number of questions with respect to its practical implementation and enforcement. Were U.S. and multinational companies operating in these markets required to impose an outright ban on their employees from using these messaging services? Would such a Policy be realistic, given the widespread use of mobile messaging apps in both social and business contexts?
2. The revised Policy
On the same day that the DOJ announced the revised Policy, Assistant Attorney General Brian A. Benczkowski remarked that it was important for the DOJ to periodically review its policies, and “to ensure that our policies are clear, comprehensive, and up to date.” Benczkowski continued by noting that the Policy was being updated to “bring it in line with current practice.”
Accordingly, while the revised Policy continues to require corporations to appropriately retain business records, the standard for appropriate retention no longer requires corporations to prohibit their employees from using messaging apps. Instead, corporations are mandated to implement “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms” that would hinder the ability to appropriately retain business records.
3. Some observations
The updated Policy reflects, in our view, the DOJ’s recognition that the information that resides on these messaging apps can often provide significant evidence of misconduct, or schemes to perpetuate such misconduct. Companies should likewise be attuned to the attendant risks of their employees seeking to avoid detection of non-compliant behavior by communicating with one another, or third parties, via such messaging apps.
However, the DOJ has not provided written guidance on the types of “guidance and controls” surrounding the use of messaging platforms, that it would deem to be “appropriate.”
Corporations will therefore need to make this determination on their own, and develop suitable controls. Certain steps that corporations may consider taking, bearing in mind that there is no one-size-fits-all approach to this issue, include:
- Conducting a risk-assessment to fully understand the various ways that the company’s employees engage in business communications.
- Reviewing and updating existing information technology (IT) and data policies regarding the retention of business records and communications, to ensure that they adequately cover personal communications and the use of ephemeral messaging apps.
- Enhancing the IT infrastructure to ensure the ability to effectively monitor all business communications.
- Conducting periodic training for employees on the appropriate retention of business records, including business communications on messaging apps on mobile devices.
- Conducting a periodic monitoring of employees’ use of corporate IT systems, to ensure the employees’ compliance with the company’s data retention policies.
4. Conclusion
The updated Policy highlights the need for companies to proactively ensure that they have the appropriate policies and procedures in place to prevent the loss of business records, including those transmitted through mobile messaging apps. This is not only a matter of regulatory enforcement risk, but prudent business practice.
Client Alert 2019-099