Last week, the Department of Justice issued some revisions to its guidance on enforcement of the Foreign Corrupt Practices Act. This guidance informs employers of what the DOJ looks for when assessing employers’ level of cooperation and compliance with the FCPA. Thus, employers take this guidance very carefully into account when developing their compliance programs.
One notable change made by the DOJ was a clarification of employers’ obligations to develop policies on the use of “ephemeral messaging platforms” by employees. These are messaging systems such as WhatsApp that automatically delete the messages after some short period of time, such that they cannot be retrieved, and thus evade the employer’s normal records retention system. The potential for use of these systems to facilitate bribes or other improper activities without leaving tell-tale traces caused the DOJ to highlight the issue in 2017. At that time, it was not clear whether the DOJ wanted employers to ban employee use of such apps totally. The new revision indicates that employers do not have to impose a total ban, but they must make a risk-based assessment, develop appropriate policies on the use of such apps, train employees, and enforce the policies. Otherwise, in any DOJ investigation, the employers will not receive full credit. The new language requires employers hoping to receive cooperation credit from the DOJ to have in place:
Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations
While this policy directly applies only to employers subject to the FCPA, that Act has a very broad reach. Moreover, the concepts in the DOJ policy will almost certainly bleed into other contexts, such as domestic bribery, domestic theft schemes, biased comments on fellow employees, and union organizing. Thus, employers would be well advised to review their employees’ use of these ephemeral messaging platforms and develop reasonable and effective controls on their use. Otherwise, employers may be found to have failed to have proper records retention policies and to have turned a blind eye to a known method for employees to avoid detection of their activities.
In developing policies for use of these apps, employers should not just adopt off-the-shelf language, but must make an assessment of the risk certain apps present. Employers should think about what the legitimate uses of the apps are; what real risk they present; are there particular recipients that present greater problems; how widespread is the use of such apps currently; alternative methods of communicating that present lower risk levels; and difficulties in enforcement and administration of any new rules.