FCPA Establishes Corporate Regulation of Text Messaging Apps

Crystal Lowery

Associate Editor

Loyola University Chicago School of Law, JD 2020

On March 12, 2019, the Department of Justice (“DOJ”) announced revisions of the Corporate Enforcement Policy in the Foreign Corrupt Practices Act. The changes now require company oversight of ephemeral messaging apps used by any employee, stock holder, or agent who discusses business records via the messaging platform. Publicly traded companies must now establish internal compliance policies to review use of ephemeral messaging services, provide ongoing oversight of the messaging services, and may want to completely prohibit the use of such messaging apps for business purposes.

The Foreign Corrupt Practices Act Corporate Enforcement Policy

The Foreign Corrupt Practices Act (“FCPA”) prohibits the payment of bribes to foreign officials, requires insurers to maintain accurate records and oversight, and imposes sanctions on publicly traded companies, including officers, directors, stockholders, and third party agents. Sanctions include civil enforcement and financial penalties, as well as criminal charges. The Securities and Exchange Commission (“SEC”) and the DOJ are responsible for enforcing the FCPA.

The Policy’s original restriction prevented use of instant and ephemeral messaging services and platforms for business communications. Ephemeral messaging services are primarily messaging apps that erase or delete messages after a prescribed period of time. Examples of ephemeral messaging services include Snapchat, WeChat, and WhatsApp. The revised Policy provisions create require companies to enact “appropriate guidance and controls” ensuring retention of business records.

On March 12, 2019, the United States DOJ revised provisions of the FCPA Corporate Enforcement Policy (“the Policy”). The Policy encourages companies to self-disclose violations by providing incentives to self-disclosure. The Policy requires that companies establish a comprehensive compliance program which encourages “timely and appropriate remediation” of violations. Under the Policy, companies must establish a culture of compliance, dedicate resources to an independent compliance program, hire experienced compliance officers who understand risks under the FCPA, perform risk assessments and update the compliance programs based on the risk assessment, audit the compliance program for effectiveness, and establish an effective method of reporting compliance concerns.

Why Do Ephemeral Messaging Services Matter?

The revised Policy requires companies to expand their current policies from the former compliance program requirements. The Policy states that companies must “implement appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.” This update by the DOJ comes after substantial review of the use of ephemeral messaging systems in business practice and the numerous dangers which can and should be mitigated by publicly traded businesses.

Prior to the revisions, many companies utilized ephemeral messaging systems such as WhatsApp and WeChat to transmit confidential business data. Although ephemeral messaging systems provide easy and direct means for business communications, the messaging systems present various dangers to the privacy of those messages. Such systems can open the company to potential data breaches if messages are intercepted, if networks are not secure, or if data breaches occur on the messaging apps. Additional risks from use of ephemeral messaging systems include the possibility that employees will retain sensitive data on their phone after leaving the company, transactions over messages getting removed from servers leaving no evidence of contractual relationships, difficulty maintaining adequate business records when messages are frequently deleted, and inability to audit or investigate messages sent via these systems.

Maintaining Compliance with FCPA

Companies that know or expect that their employees, agents, or stake-holders will utilize ephemeral messaging services to communicate about business functions, should immediately review their policies and procedures for any standards governing the use of technology in the workplace. It is important for companies to have access to all business communications to ensure credible audits and investigations. Many companies have information technology and data privacy policies which could be expanded or clarified to include use of ephemeral messaging services, but these policies, and all future compliance trainings, should explicitly outline the  requirements, expectations, and repercussions for any future violation of the updated policy. According to the revisions to the FCPA, all updates to company policies should incorporate methods of documenting business transactions and internal audits on ephemeral messaging services. Companies with bring your own device policies may also want to consider whether to allow employees to use ephemeral messaging services or prohibit use entirely to prevent employees from maintaining data after departure from the company.

According to the recent FCPA revisions, companies may also want to prohibit the use of certain messaging systems and encourage the use of corporate messaging applications such as Skype or Slack. Both Skype and Slack can allow the company to maintain control over data transmitted in the app for record keeping or internal audits.  Many companies may choose to ban the use of mobile messing applications altogether to prevent concerns over misuse of messaging apps, loss of data, or violations of the FCPA. Such a ban should be explicitly communicated to all officers, directors, stockholders, and third-party agents. The FCPA revisions still require companies to remediate and report any evidence of violation of the FCPA to the SEC and DOJ. The FCPA encourages companies who self-disclose to “investigate, identify, and self-report evidence implicating individuals involved in the misconduct”.