The United States Department of Justice (DOJ) has relaxed what some interpreted as a blanket ban on personal communications and ephemeral messaging services, such as WhatsApp, in the Foreign Corrupt Practices Act (FCPA) corporate enforcement policy. JM 9-47.120 – FCPA Corporate Enforcement Policy. On Friday, March 8, 2019, the DOJ altered its FCPA corporate enforcement policy to accommodate technological and communications advancements and to give corporations more freedom to create their own compliance programs.
While this change allows companies greater flexibility in the types of messaging services they can permit their employees to use, it also requires companies that permit the use of these messaging services to enhance their compliance programs to ensure that business-related data sent using these messaging services is preserved.
The FCPA corporate enforcement policy was established in 2017. Its purpose is to “provide guidance and greater certainty for companies struggling with the question of whether to make voluntary disclosures of wrongdoing.” Deputy Attorney General Rosenstein Delivers Remarks at the 34th International Conference on the Foreign Corrupt Practices Act, November 29, 2017. The policy informs companies of the steps that any business organization must take in order to achieve full credit for cooperation and remediation during the course of an FCPA investigation.
The factors which the DOJ takes into consideration when deciding whether to charge a company in a bribery investigation include timely self-reporting, cooperating with investigations, and implementing rigorous compliance programs. Under this program, a company will receive benefits, including a potential declination of prosecution, for wrongdoing associated with bribery if the company satisfies the requirements in the policy. The policy included, as a part of the timely and appropriate remediation factor, a requirement that a company must have a policy “prohibiting employees from using software that generates but does not appropriately retain business records or communications” in order to receive full remediation credit. USAM Insert 9-47.120 – FCPA Corporate Enforcement Policy (November 29, 2017). This requirement arguably completely banned both personal and ephemeral messaging services for business purposes.
This prohibition was meant to curb the deletion of relevant evidence by employees engaged in wrongdoing. However, some companies felt that the blanket ban on such messaging solutions was overbroad because it failed to recognize the growing prevalence of these messaging solutions. There are a host of reasons, having nothing to do with their document retention features, that these messaging solutions are becoming more popular, and the outright ban limited companies’ abilities to prescribe their own technology and compliance programs that allowed for the use of these solutions while ensuring that proper document retention policies were in place.
Changes to enforcement policy and effects for the future
On March 8, 2019, the DOJ announced changes to the policy regarding disappearing messages. The amended policy requires that companies implement “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company's ability to appropriately retain business records or communications or otherwise comply with the company's document retention policies or legal obligations.” JM 9-47.120(3)(c) – FCPA Corporate Enforcement Policy. Under this new policy, companies are not required to ban disappearing messaging platforms completely, but companies must develop a retention program that will retain such messages in compliance with applicable document retention requirements.
The new policy certainly represents an opportunity for companies to rethink their technology solutions. But the opportunity comes with a cost: companies that permit the use of these messaging solutions must focus on strengthening and amending their retention and compliance programs to account for these messaging solutions and to develop policies and procedures, as well as technological solutions, that will enable employees who use these messaging solutions for business purposes to comply with all applicable document retention requirements.
Ultimately, companies must now determine on their own whether an outright ban, like the type that DOJ originally contemplated, is both feasible and desirable. If a company determines that a ban is not feasible or that it wants its employees to be able to use these types of messaging solutions, it must begin the hard work of upgrading its compliance program to account for these messaging solutions.
Find out more about the ramifications of this policy revision by contacting any of the authors.