Anyone who has spent much time in China or dealt with investigations in China has probably heard of WeChat, a social media application. WeChat has over 900 million daily users, making it far and away the most ubiquitous social media platform in China.
While WeChat can be used for a variety of applications, the most relevant functions related to for investigations are messaging (individual and group chats) and money transfers.
WeChat is used very commonly in China for both personal and work-related communications and has become the most popular tools for person-to-person communications in China. In many cases, it supplements or has supplanted email for casual and sometimes business communications. In a signal of its popularity, business people in China often exchange contact information via WeChat instead of exchanging traditional business cards.
During an investigation, WeChat data can reveal discussions of interest among company employees or between company employees and non-employees. In our experience, employees are often far less guarded on WeChat or similar platforms than they would be in email, and may discuss sensitive issues more freely and openly.
We have seen numerous examples of employees using WeChat to discuss everything from collusive vendors to general fake fapiaos. (For a description of fapiaos, see our earlier series here, here, here, and here.)
WeChat also can make audio and video calls, and has a range of payment functions, including peer-to-peer money transfers and a “red packet,” where users can gift money to each other. As such, WeChat data can be a potential gold mine of relevant information in an investigation.
WeChat is primarily used on mobile devices (although the program can also be used on computers), creating challenges for investigations. Because many employers in China typically utilize a bring-your-own-device policy, the data on an employee’s mobile device cannot be directly accessed by employers without an employee’s consent under PRC privacy rules.
This leaves employers in a difficult position — they may know or suspect that an employee’s mobile device contains data directly relevant to an investigation but cannot easily access that data, like the legendary but elusive city of gold — El Dorado.
The situation for many employers in China, particularly those subject to the FCPA, is complicated by the recently issued U.S. Department of Justice’s FCPA Corporate Enforcement Policy (see Covington’s summary here and the Chinese version here).
As part of the requirements for full remediation to be eligible for “mitigation credit” in a resolution, e.g., a reduced fine or declination, the Policy requires “[a]ppropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications.”
The DOJ has not expounded on its expectations on this front, and this new policy will require companies to balance their interests in positioning themselves for mitigation credit interests in facilitating business communications in a cost-effective and secure manner. Some companies are considering prohibiting employees from using personal devices for work-related communications and from using certain well-known messaging platforms for work-related communications, unless preservation of such communications can be assured.
Companies with operations in China might consider steps to minimize problems with employees misusing WeChat:
1. Conduct a communications risk assessment. Given the prevalence of WeChat in China and other similar platforms in other countries, companies may want to conduct a communications risk assessment to understand the nature and extent that their employees use messaging platforms such as WeChat in China and in other jurisdictions. The company could then tailor its IT use policy to balance critical business priorities enabled by messaging with the need to ensure that communications can be accessed for investigative purposes, and if an outright prohibition is warranted.
2. Prohibit employees from using messaging platforms to transmit sensitive work information. Restricting employees from using WeChat or other messaging platforms for sensitive business communications could at least mitigate the risk that sensitive information might be discussed or disclosed in a way that the company cannot track. We are aware of one case where company employees in an R&D function started a group chat on a messaging platform to facilitate discussions. When an employee left the company, however, no one realized that he should have been deleted from the group chat, and he continued to receive sensitive information while working for his new employer — a direct competitor.
3. Refresh IT use and privacy policies. As described in an earlier series about China investigations here and here, companies are wise to update their IT use policy and privacy policy to account for rapidly evolving privacy and cybersecurity laws in China. These updates allow companies to access data relevant for investigations in China while minimizing the risk of blowback under local law.
4. Ask employees for their consent to review or image mobile devices, either at the time of employment or at collection. Chinese privacy laws generally frown upon employers taking and copying an employee’s personal mobile devices without consent. And many employees will decline to give consent. But many do give consent, and sometimes data on those devices can be useful. (Companies could also consider issuing company-issued devices for a broad swathe of employees, which would give the company more direct ability to copy the device, although this can be expensive, given that devices in China are predominantly bought out of pocket rather than subsidized by annual contracts.)
5. Check laptops for backups. Plugging in a mobile device to a company-owned computer could, in some cases, create a back-up file of logs from WeChat or other messaging platforms. That back-up file generally can be recovered from the company-owned computer with much lower risk of running afoul of privacy laws in China. Companies could also consider requiring regular back-ups of messages on company servers that would be accessed unless an investigative need presents.
6. Ask employees about use of messaging platforms during interviews. Sometimes employees are willing to share information or screenshots of key conversations on WeChat or other messaging platforms with other employees or non-employees, even if they are not willing to have their phone imaged. We have had relatively good success in teasing out useful information through this method.
___
Messaging platforms such as WeChat will not disappear in China, and employees are unlikely to stop employees overnight from using them for work-related purposes. Employers can take steps now to be able to minimize risk and best utilize available data during investigations.
______
Eric Carlson, a contributing editor of the FCPA Blog, is a Shanghai-based partner at Covington & Burling LLP specializing in anti-corruption compliance and internal investigations, with a particular focus on China and other regions in Asia. Eric Carlson speaks fluent Mandarin and Cantonese and can be contacted here.
Ping An, an associate in Covington’s Shanghai office, contributed to this post.
2 Comments
Great article Eric! From my company's perspective, personal mobile devices are not allowed in the workplace at all. Employees that require a phone are issued one by the company. Also, our internal investigations, particularly in China, have identified at least 5 other high-risk reasons, apart from the FCPA, that justify the control over an employee's potential use of their own messaging service to communicate company business (e.g. intellectual property protection). At the end of the day, it makes good business sense for a number of reasons.
Hi Eric! Great read. This is packed full with the twisted pitfalls of what the 21st C technologies have imposed upon the corporate workplace. It's really a peak behind the curtain. And now…the remediation process to address all the new age disruption really sets in. It seems our options are to either invest immense amounts of time and money to make these amenities (ie. phones, mobile apps, internet access, softwares) safe and feasible for the company, or get rid of them all together…(do I hear the rebels of the free world calling?).
I love how this idea of "mitigation credits" is picking up. Making the opportunity cost companies forgo in non-compliance a tangible factor in the equation is key to incentivize corporations to be more forward thinking. Ahh…and the compliance matrix thickens. What a show.
Comments are closed for this article!