In December 2017, the DOJ first took aim at messaging apps in its FCPA Corporate Enforcement Policy, which required companies to prohibit employees from “using software that generates but does not appropriately retain business records or communications.”
Companies failing to do so could be disqualified from receiving full credit — e.g., the presumption of a declination — for timely and appropriate remediation in the context of cooperating with a government investigation into potential FCPA violations.
While the wording of the policy was open to a range of interpretations, its basic implications were clear: the DOJ views communications exchanged by company employees through messaging apps as a potentially important source of information in FCPA investigations, and the agency expects companies to take some type of action to facilitate the preservation, collection, and review of such communications.
In the absence of official guidance, companies speculated about the prohibition’s practical implications. In particular, companies questioned whether the policy required them to fundamentally change their rules for employee communications: Should they entirely prohibit employees from using ephemeral messaging apps (that may not store communications), such as WhatsApp, Signal, and Viber, even where employees customarily use them to communicate with each other and with business partners? Did companies need to purchase enterprise versions of messaging software and install them on employee devices to ensure that all business communications can be stored and accessed?
In trying to determine the prohibition’s practical implications, companies turned to general principles of other U.S. enforcement agency compliance guidance. Among other things, compliance practitioners cited the FCPA policy’s use of the term “appropriately” as a signal that the DOJ would apply some form of reasonableness standard, as it has in other contexts. Under this interpretation, practitioners believed that DOJ expected companies to design and implement risk-based controls over messaging apps — tailored to the company’s operations — similar to the risk-based compliance approaches generally encouraged by the agencies in their Resource Guide to the U.S. Foreign Corrupt Practices Act.
Over the past year, U.S. enforcement officials have generally supported this view in a range of public statements at conferences. For example, Daniel Kahn, Chief of the DOJ’s FCPA Unit, remarked at the American Conference Institute’s (ACI) International Conference on the FCPA last November in Washington D.C., that the agency expects companies to take a “risk-based approach” in this area.
On March 8, 2019 — roughly fifteen months after initially issuing the policy in its original form — the DOJ updated the relevant provision regarding messaging apps to refine its stance. In doing so, the DOJ clarified that it does not expect companies to prohibit employees from using ephemeral messaging apps, but instead requires them to implement appropriate guidance and controls over such communications. Specifically, the revisions state that for a company to receive full credit for timely and appropriate remediation, the company is required to satisfy requirements including:
According to media sources, these changes addressed concerns expressed by the U.S. Chamber of Commerce. Harold Kim, the Chamber’s vice president, told Law360 “that the move provided clarity for companies by removing what had been viewed by some as a blanket prohibition.”
For companies and FCPA compliance practitioners, the policy change further supports taking a risk-based approach to messaging apps, and those who have already taken such steps are ahead of the curve. Specifically, the updated policy carries forward certain key concepts from the initial version, such as clear signals that the DOJ expects companies to maintain appropriate written guidance and controls over communications and messaging platforms, and to effectively implement such controls, while also:
- Inviting companies to use informed judgement to determine what types of communications and messaging platform controls are “appropriate” — i.e., suitable under the company’s circumstances; and
- Highlighting the need for companies to proactively identify and address areas of potential conflict between the daily communications practices of employees and the range of policies and legal obligations applicable to the organization.
In practical terms, the revised policy suggests that companies should apply common compliance design and implementation approaches to develop risk-based communications and messaging platform controls. Key compliance design and implementation steps may include, for example:
Risk assessment, to take stock of the types of communications and messaging platforms currently used in the company’s operations; how those platforms are used in practice; what types of data are generated and stored by those platforms; relevant legal and contractual obligations to maintain data, or to restrict its use (e.g., data privacy laws); company policies governing employee communications, among other factors.
Written guidance/controls enhancements, based on the company’s risk assessment, to potentially address permissible communications and messaging platforms, company access to data (e.g., ability to access data on company-owned devices), and data retention and destruction, among other areas.
Training and communications to roll out and maintain awareness of the company’s guidance and controls over communications and messaging platforms.
Monitoring and testing to ensure that employees are actually following the company’s controls over communications and messaging platforms, and that any gaps are promptly remediated.
Perhaps the most important bottom-line takeaway is that the DOJ expects companies to carefully consider and implement controls around communications and messaging platforms in advance of any FCPA investigation. Companies that fail to do so risk not only losing full credit for timely and appropriate remediation under the FCPA Corporate Enforcement Policy, but also a general loss of credibility in future dealings with U.S. enforcement agencies if they ask for employee messaging data that the company cannot locate.
In such circumstances, the agencies would likely be far more receptive to contemporaneous documentary evidence showing that the company took a reasonable approach to communications and messaging platform controls, and would likely assign much less weight to any after-the-fact rationalization of decisions not to control or preserve messaging data.
Nate Lankford, pictured above left, is a member at Miller & Chevalier in Washington, D.C. He focuses his practice on matters involving the Foreign Corrupt Practices Act, business and human rights and other areas of international corporate compliance. He has conducted investigations and created tailored compliance programs for U.S. and international companies in several industries and advised companies on all areas of compliance program implementation.
Dawn E. Murphy-Johnson, above right, is counsel at Miller & Chevalier in Washington, D.C. She focuses her practice on white collar criminal defense, complex civil litigation and appellate advocacy. She has experience in cases involving tax and accounting fraud, government contracts fraud, public corruption, export control violations and violations of the FCPA. She has also conducted internal investigations on behalf of multinational corporations.