Smartphone users in China and many other emerging economies increasingly rely on so-called super-apps, which integrate features otherwise accessible through multiple applications under a single user interface and account.
The convenience of using a single super-app for personal communications, social media, online shopping, travel, finance and other services has not only changed the online consumer experience; but has impacted business practices as well. Super-apps allow seamless interaction between colleagues, customers, suppliers, and advisors through the formation of shared chat groups, providing efficient platforms to negotiate terms and finalize agreements. Some super-app suites are expressly designed for business collaboration. In China and other jurisdictions, many local companies are abandoning email and expect the convenience of interacting with their suppliers and business partners through super-apps.
Conducting business communications through super-apps presents grave compliance and risk-management challenges. Like a personal email account or private telephone, an employee's personal super-app account generally lies outside an employer's IT networks. Massive amounts of data on communications, payments and activities data generated by the super-app are stored on third-party servers inaccessible to the employer, frustrating efforts to preserve and evaluate evidence in the fact of regulatory probes or litigation. The data is unshielded by the employers' network security systems, raising risks of unauthorized access or disclosure and resulting commercial losses and liabilities. Live communications through super-apps are obscured from employer network surveillance functions designed to detect prohibited online activities on a real-time basis.
With the adoption on November 29, 2017 of a new US Foreign Corrupt Practices Act Corporate Enforcement Policy (FCPA Enforcement Policy), the US Department of Justice confirmed its expectation that companies restrict the use of third-party apps for undocumented business communications. Pursuant to the FCPA Enforcement Policy, if a company has "voluntarily self-disclosed misconduct in an FCPA matter, fully cooperated and timely and appropriately remediated," then there is "a presumption that the company will receive a declination absent aggravating circumstances" or a substantial reduction in penalty in the event of aggravating circumstances.
However, the FCPA Enforcement Policy stipulates that certain compliance measures "will be required for a company to receive full credit for timely and appropriate remediation." Among them: "prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications." The DOJ's admonition reflects past experiences with evidentiary trails dead-ending with third-party messaging platforms or super-apps in foreign jurisdictions.
Outright prohibiting the use of third-party smartphone messenger apps and super-apps might be ideal for managing data security and compliance risks, but that approach may not be commercially realistic. This is particularly true in China and other jurisdictions where super-apps are now dominant modes of business communication for legitimate reasons of efficiency and convenience (as opposed to nefarious purposes of concealing misconduct).
Consequently, companies may instead seek to ensure effective documentation and control of any business use of smartphone super-apps. This may entail a combination of formal policies defining permissible uses of smartphone super-apps, procedures for monitoring and verifying compliance, and technological solutions designed to ensure that any employee use of smartphone super-apps for business purposes is appropriate and properly documented. Such policies should conform to local employment laws and data privacy standards.
With the widespread adoption of super-apps, multinational companies operating in China and other emerging economies may be exposed to heightened compliance risks, particularly in light of the FCPA Enforcement Policy. Now may be a good time to re-evaluate whether these practices are prevalent within your organization and what steps the company may take to mitigate these risks.