Matteson Ellis describes what a compliance policy for ephemeral communications should look like – a concern for Latin American countries in particular, where WhatsApp is used widely.
Perhaps in no region of the world is WhatsApp used more frequently than in Latin America. From Mexico to Patagonia, people rely on the application constantly for both personal and professional use. With this new medium of communication, companies operating in Latin America are learning that their approaches to the use of WhatsApp and other instant messaging communication tools are highly relevant to FCPA compliance.
Specifically, these instant messaging platforms can present challenges to FCPA investigators seeking to review employee communications. The applications often do not store communications, or they store them in such a way that communications are not easily accessible to companies or U.S. enforcement agency investigators.
U.S. Government Expectations
Companies want to make sure their practices in this area are consistent with U.S. government expectations. The U.S. Department of Justice (DOJ) has begun describing its compliance expectations for what it calls “ephemeral communications.” At a March 2019 conference in Mexico City, Christopher Cestaro, the Assistant Chief of the DOJ’s FCPA Unit, reminded the audience that the DOJ expects companies to prohibit individuals from improperly destroying communications and documents and to develop policies and controls around instant messaging communications.
In the DOJ’s Enforcement Policy issued just over a year ago, the DOJ first appeared to require companies to prohibit the use of such software, which naturally caused a great deal of concern among companies about the Policy’s practical implications for business. By contrast, the updated policy, issued in March 2019, now suggests that companies should develop risk-based controls for communications and messaging platforms. To receive full credit for timely and appropriate remediation in the context of an FCPA investigation, the DOJ will require, among other things:
Appropriate retention of business records and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.
The DOJ’s Cestaro further explained during his remarks that the Policy is “moving from a bright line (we expect an outright prohibition) to a reasonableness standard. How we view the expectation is that you will have thought through this, [that] you will have implemented the controls that are right for your company and that you will be able to articulate that. So when you come in and meet with us, you are able to say, ‘here is what we put in place, the policy, the controls and here is why we chose each of these things and decided not to ban it outright.’”
Compliance Strategies
What does a corporate policy around ephemeral communications look like? It should be risk-based, structuring controls to target the most relevant forms of communication for the purposes of FCPA compliance. To do this, the company would perform a formal risk assessment aimed at understanding and documenting the types of platforms employees use and how they are used.
Based on the risk assessment:
- the company would design a policy and issue it in writing.
- In the policy, the company might prohibit employees from conducting substantive work-related discussions over WhatsApp, limiting use to nonsubstantive discussions, like logistics when arranging a meeting.
- A company might study local data privacy rules and incorporate them into the policy design.
- A company would train employees on the policy.
- Implementation of the policy would be regularly monitored and tested.
In his remarks in Mexico City, Cestaro also made the important point that such policies can be helpful not only to managing FCPA risk; having stronger controls around employee communications allows a company to have a better understanding of what employees are doing more generally, which can help mitigate the risk of other forms of corporate misconduct, like fraud and embezzlement.
This article was republished with permission from FCPAméricas Blog, for which Matteson Ellis is founder, editor and regular contributor.
The opinions expressed in this post are those of the author in his or her individual capacity and do not necessarily represent the views of anyone else, including the entities with which the author is affiliated, the author’s employers, other contributors, FCPAméricas, or its advertisers. The information in the FCPAméricas blog is intended for public discussion and educational purposes only. It is not intended to provide legal advice to its readers and does not create an attorney-client relationship. It does not seek to describe or convey the quality of legal services. FCPAméricas encourages readers to seek qualified legal counsel regarding anti-corruption laws or any other legal issue. FCPAméricas gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to FCPAméricas LLC.