In early March 2019, the Department of Justice (DOJ) revised its Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy (the Policy). First announced in November 2017, the Policy is designed to encourage companies to self-report FCPA violations and to cooperate with the DOJ’s FCPA investigations. The Policy and its recent revisions were incorporated into the United States Attorneys’ Manual (USAM), now referred to as the Justice Manual (JM), which is the internal DOJ document that sets forth policies and guidance for federal prosecutors.
One of the most notable aspects of the original Policy was its requirement that companies seeking to obtain remediation credit prohibit employees from using ephemeral messaging systems unless appropriate retention mechanisms were put in place. According to the original Policy, a company would receive full credit for remediation only “if [it] prohibit[ed] employees from using software that generates but does not appropriately retain business records or communications.”
We heard many concerns from the business community and defense bar about this prohibition, which was seen as inconsistent with the way many parts of the world conduct business. Many people we heard from could not, for example, imagine their employees doing business in Brazil without WhatsApp or in China without WeChat. But storing all messages sent on such programs poses technological and financial challenges, and could increase a company’s vulnerability to cyber breaches.
In seeming response to these concerns, the DOJ removed the outright prohibition against ephemeral messaging and revised the Policy so as to give companies more leeway to develop a system that better fits their business needs while still complying with the Policy’s underlying goal—to deter employees from going “off the grid” to further a foreign bribery scheme, and to preserve the evidence in the event that a foreign bribery scheme does take place.
Under the revised Policy, companies seeking remediation credit must “implement[] appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.”
The revised Policy thus gives companies the ability to choose the technology, policies and controls for ephemeral messaging that work best for their businesses. For example, a company may limit the use of ephemeral messaging systems to logistical issues, and prohibit their use for substantive business communications (unless the employee takes steps to preserve such communications). A company seeking to preserve ephemeral messaging may also wish to adopt a written retention policy to ensure that ephemeral messages are stored—and deleted—consistently and in a way that balances the costs and challenges of storage against other business needs.
On that point, devising policies and controls for ephemeral messaging is not just about maximizing remediation credit in the relatively rare event that a company becomes the subject of an FCPA enforcement action—it also makes good business sense. Like the DOJ, companies have an interest in discouraging employees from using ephemeral messaging to avoid detection of improper behaviors—whether that be bribery, self-dealing or any other form of non-compliant behavior—and in making sure important business discussions are appropriately memorialized.
Prior to the original Policy, many companies had not addressed or thoroughly considered how to integrate these new technologies into their business processes. Thus, although the Policy got off to a bit of a rocky start, it did turn the spotlight on an issue that companies are well advised to consider and address.