On March 8, 2019, the U.S. Department of Justice announced an important change to its Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy concerning one of the conditions — “appropriate retention of business records” — that companies must meet to receive “full credit” for “timely and appropriate remediation” in the resolution of an FCPA enforcement action. Instead of requiring companies to impose a flat ban on the use of third-party instant messaging apps, the new policy gives companies latitude to decide what means to adopt to satisfy their document preservation obligations.
Under the previous version of the Corporate Enforcement Policy, for a company to demonstrate “appropriate retention of business records” to receive full remediation credit, it was required to have in place a policy that “prohibit[s] employees from using software that generates but does not appropriately retain business records or communications” — a description that would cover WeChat, WhatsApp, Snapchat and almost all other messaging apps commonly found in smartphones. Almost immediately after the promulgation of this now-superseded policy, businesses and legal commentators criticized it as unrealistic, especially in certain fast-growing economies, such as China and India, where WeChat and similar messaging apps are used extensively for legitimate business communications — sometimes to the exclusion of corporate email. U.S. and multinational companies operating in these jurisdictions were thus put in the unenviable position of enacting a WeChat/WhatsApp policy ban that may have been honored as a matter of policy but rarely in practice.
Under the DOJ’s amended policy, now formalized in the latest version of the U.S. Attorneys’ Manual § 9-47.120(3)(c), the requirement of preserving business records and communications remains unchanged. In other words, to obtain credit for “timely and appropriate remediation,” companies must still demonstrate their “ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.” However, companies now are given the latitude on the chosen means to do so — i.e., by implementing “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms.”
The amended policy does not elaborate on what constitutes “appropriate guidance and controls.” It therefore falls to companies to assess their technology and business environment, formulate suitable and defensible policies and protocols, and implement and enforce robust controls to prevent and detect violations. While the elimination of the blanket ban is a welcome development, companies bear the risk of being second-guessed by the authorities with the benefit of 20/20 hindsight and should carefully evaluate the adequacy of their internal policies and practices with this consideration in mind.