US Department of Justice revises FCPA Corporate Enforcement Policy to encourage adoption of guidance and controls around WeChat, WhatsApp and other messaging services

This article first appeared as a Baker McKenzie Client Alert.


Amendments to FCPA Corporate Enforcement Policy
On March 12, 2019, the US Department of Justice (DOJ) modified the FCPA
Corporate Enforcement Policy (the “Policy”). This Policy credits corporations
that voluntarily self-disclose, provide full cooperation, and demonstrate timely and appropriate remediation in FCPA matters with a presumption of
declination absent aggravating factors. A key change is to now allow the use of “ephemeral messaging platforms”, such as WeChat and WhatsApp, for business communications as long as controls are put in place to ensure
appropriate retention of business records. These “controls” however require
careful consideration as we discuss below.

Obligations to control or retain WeChat and WhatsApp business communications
In November 2017, the DOJ adopted the Policy to provide corporations with
further certainty around the benefits of cooperating with the DOJ and how to
obtain a declination. Many observed that the original language in the Policy
indicated that to effectively remediate, business records could not be stored
on messaging platforms because such platforms could not effectively retain
business records. This was practically difficult as messaging apps are
routinely used in the modern business context. The Policy amendments
acknowledge the reality that business communications occur over these
platforms – including as part of employees’ personal communications – and
advise corporations to implement “appropriate guidance and controls” to
ensure that the corporation retains these business records or
communications as part of its document retention policies or legal obligations.

This development continues the trend seen in the People’s Republic of China issuing new rules to clarify procedures for collection of electronic data in criminal cases, which took effect in February 2019 – see Baker McKenzie’s alert.

In addition to the guidance on the adoption of policies and controls around
business communications on messaging apps, the amended Policy reflects
two additional clarifications:

1. In the M&A context, the Policy reflects the DOJ’s position that there will
be a presumption of a declination where a company undertakes an M&A
transaction where misconduct is uncovered through thorough and timely
due diligence or post-acquisition compliance integration efforts; and

2. Further guidance on “de-confliction” when the DOJ may request a
deferral of investigative steps by a company for a limited period of time.

Actions to take
With the proliferation of messaging apps and the migration of business
records to these platforms, it is essential that companies reconsider their
policies and controls around the use of these apps to comply with the Policy’s expectations. In addition, it is important for companies to have access to these business communications when seeking to conduct credible internal audits and investigations. Depending on the industry and the legal
requirements, we recommend that companies:

  •  Control the use of messaging applications and restrict their use to
    devices that the company owns and/or can control and review. For high
    risk business functions (ie. procurement, government touchpoints), we
    recommend issuing a company device and ensuring that company
    policies will enable access and review of business communications
    respectful of relevant employment and data privacy laws.
  • Review IT and data privacy policies and procedures that apply to the
    use of messaging apps. These include carefully crafting “Bring Your Own
    Device” policies to clearly allow access to business records, should the
    company wish to allow employees to use their own devices for business
    communications.
  • In certain limited circumstances, prohibit the use of messaging
    apps for business communications. Note that messaging apps may
    not provide sufficient privilege protection for attorney-client
    communications.

Written by Mini vandePol, Simon Hui, Vivian Wu, Henry Chen, Peter Andres, and Anna Lamut.

Posted by Baker McKenzie