Amendments to FCPA Corporate Enforcement Policy
In March 12, 2019, the US Department of Justice (DOJ) modified the FCPA Corporate Enforcement Policy (the “Policy”). This Policy credits corporations that voluntarily self-disclose, provide full cooperation, and demonstrate timely and appropriate remediation in FCPA matters with a presumption of declination absent aggravating factors. A key change is to now allow the use of “ephemeral messaging platforms”, such as WeChat and WhatsApp, for business communications as long as controls are put in place to ensure appropriate retention of business records. These “controls” however require careful consideration as we discuss below.
Obligations to control or retain WeChat and WhatsApp business communications
In November 2017, the DOJ adopted the Policy to provide corporations with further certainty around the benefits of cooperating with the DOJ and how to obtain a declination. Many observed that the original language in the Policy indicated that to effectively remediate, business records could not be stored on messaging platforms because such platforms could not effectively retain business records. This was practically difficult as messaging apps are routinely used in the modern business context. The Policy amendments acknowledge the reality that business communications occur over these platforms – including as part of employees’ personal communications – and advise corporations to implement “appropriate guidance and controls” to ensure that the corporation retains these business records or communications as part of its document retention policies or legal obligations.
This development continues the trend seen in the People’s Republic of China issuing new rules to clarify procedures for collection of electronic data in criminal cases, which took effect in February 2019 – see our alert.
In addition to the guidance on the adoption of policies and controls around business communications on messaging apps, the amended Policy reflects two additional clarifications:
- In the M&A context, the Policy reflects the DOJ’s position that there will be a presumption of a declination where a company undertakes an M&A transaction where misconduct is uncovered through thorough and timely due diligence or post-acquisition compliance integration efforts; and
- Further guidance on “de-confliction” when the DOJ may request a deferral of investigative steps by a company for a limited period of time.
Actions to take
With the proliferation of messaging apps and the migration of business records to these platforms, it is essential that companies reconsider their policies and controls around the use of these apps to comply with the Policy’s expectations. In addition, it is important for companies to have access to these business communications when seeking to conduct credible internal audits and investigations. Depending on the industry and the legal requirements, we recommend that companies:
- Control the use of messaging applications and restrict their use to devices that the company owns and/or can control and review. For high risk business functions (ie. procurement, government touchpoints), we recommend issuing a company device and ensuring that company policies will enable access and review of business communications respectful of relevant employment and data privacy laws.
- Review IT and data privacy policies and procedures that apply to the use of messaging apps. These include carefully crafting “Bring Your Own Device” policies to clearly allow access to business records, should the company wish to allow employees to use their own devices for business communications.
- In certain limited circumstances, prohibit the use of messaging apps for business communications. Note that messaging apps may not provide sufficient privilege protection for attorney-client communications.