The U.S. Department of Justice (DOJ) has issued revised guidance regarding what records companies must retain to be eligible for full remediation credit under the FCPA Corporate Enforcement Policy. Previously, the Policy effectively required companies to ban the use of any ephemeral messaging applications which automatically delete data, such as WhatsApp and Wickr. The amended Policy is less rigid and only requires companies to implement “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.” We consider what this new guidance means for companies’ internal policies and protocols on software platforms and the retention of business records and communications.
The DOJ issued the FCPA Corporate Enforcement Policy in November 2017, expanding upon its 2016 FCPA Pilot Program, to further incentivize companies to voluntarily disclose, cooperate, and remediate FCPA misconduct and to provide greater predictability about benefits that will accrue when a company takes such actions. Among other things, the 2017 Corporate Enforcement Policy stated that “full cooperation” and “timely and appropriate remediation” were necessary to receive maximum credit and benefits under the Policy. The 2017 Policy specified that:
The following items will be required for a company to receive full credit for timely and appropriate remediation . . . Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications. (DOJ, U.S. Attorney’s Manual § 9-47.120(3)(c) (Nov. 2017) (emphasis added)).
“Software” that “generates but does not appropriately retain business records or communications” appears to refer to platforms that are not designed to preserve or save communications or other data, for example, because they delete such messages on a rolling basis or after review by the recipient. On its face, the Policy’s language seemed to require that companies bar employees from using such ephemeral messaging systems for business purposes in order to be eligible for full remediation credit—unless they could find a way to preserve those communications.
Subsequently, the DOJ indicated that record retention relating to instant messaging services such as WhatsApp and WeChat was an area of focus, but was equivocal as to whether it would require a company-wide ban on such apps and software as a prerequisite to granting full remediation credit. For example, at the TRACE Forum in Washington, D.C., on March 8, 2018, David Johnson, Assistant Chief of the Criminal Division’s Fraud Section, urged companies to reflect upon whether employees should be permitted to use messaging services at all, and, if such applications were being used, how and when they should be permitted and whether “prophylactic measures” were necessary. Johnson also cautioned that companies should think about addressing the issue prior to any enforcement action by U.S. and/or foreign authorities, so as to avoid finding themselves in a situation where relevant records were not retained—despite the fact that the requirement appeared in the section of the Policy relating to “remediation.” Daniel Kahn, Chief of the Fraud Section’s FCPA unit, likewise stressed at the American Conference Institute in New York in May 2018 that “disappearing communications” may complicate the investigation of corporate wrongdoing and that a company “can’t undo its WhatsApp policy and then expect full credit,” expressing skepticism about why businesses would be using such apps. Moreover, some constituents received indications from the government that insufficient retention policies could jeopardize not only remediation credit, but also cooperation credit. On the other hand, when speaking in his individual capacity, Johnson recognized that the government was not “going to tell you that you cannot use WhatsApp . . . per se.” Kahn similarly acknowledged that a risk-based approach would not categorically be deemed a failure to comply with the Policy, despite the seemingly unqualified language in USAM 9-47-120(3)(c).
Use of instant messaging by companies and international regulators
Following the publication of the 2017 Policy, practitioners and companies vocalized that record retention was “an area ‘a number of companies are struggling with,’” noting that messaging apps have become common modes of business communication abroad, especially in certain countries such as Brazil or China. There are many legitimate reasons why employees might opt to use ephemeral messaging for business including speed, ease of use and convenience, unique functionalities, client preference, reliability, and even stronger security—all of which are entirely independent of their “disappearing” functionality.
Even international regulators have successfully relied on instant messaging systems to coordinate in recent cross-border investigations, further supporting the position that such applications might in fact have legitimate business uses for companies. In one such instance, instead of using more formal (and slower) channels, Brazilian prosecutors used a WhatsApp Group with French prosecutors to compare evidence before sending MLATs and to coordinate simultaneous raids in connection with the Rio Olympics bribery investigation. Moreover, for cost-saving reasons many employers expect employees to use personal devices for work performed outside of the office, posing additional challenges to restricting or monitoring business communications. These considerations, along with others, highlight the impracticality of a blanket ban on ephemeral applications.
DOJ revises guidance on business record retention requirements
The DOJ appears to have taken note of these concerns. On March 8, 2019, along with a number of other changes, the DOJ revised the business record retention requirements. The 2019 Policy now reads as follows:
Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations. Justice Manual § 9-47.120(3)(c) (emphasis added).
The new language, which is less draconian on its face, appears to reflect the DOJ’s present understanding that a more nuanced approach is better in assessing corporate record retention policies.
What now? Considerations for Corporate Record Retention Policies
Understand your legal retention obligations
There are many reasons why an organization may retain data—among them, to be able to perform regular business functions and access information in the ordinary course, as well as detection of problematic activity by employees and compliance with applicable laws and regulations. Pursuant to the Policy’s new guidance, companies that permit employees to use personal communications (such as personal email addresses) or disappearing messaging platforms should be diligent in assessing, and, if necessary, revising, their internal policies and protocols to ensure compliance with various record retention obligations. As part of this process, companies should analyze applicable legal obligations given the types of records or communications at issue, industries and jurisdictions in which a company operates, location of employees, employee roles and different lines of business.
As part of the FCPA statute, entities that qualify as an “issuer” under the relevant sections of the Securities and Exchange Act must comply with the FCPA’s “books and records” and “internal accounting controls” provisions. Section 13(b)(2)(A) of the Exchange Act requires issuers to “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.” Similarly, Section 13(b)(2)(B) of the Exchange Act requires issuers to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that . . . transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets.” Failure to sufficiently maintain books and records or internal accounting controls can serve as a separate basis for an SEC or DOJ enforcement action against an issuer, regardless of whether an actual bribe or other improper behavior can be proven.
Aside from the FCPA, there are many legal regimes that may create retention obligations for U.S. and non-U.S. companies. There are industry-specific U.S. regulations applicable to different types of companies, including financial institutions, exchange members and broker-dealers. There are preservation requirements that arise in certain circumstances, such as the obligation under U.S. federal law to preserve documents and electronically stored information where there is a “reasonable anticipation” of litigation (and failure to do so can subject a company to sanctions). Legal obligations regarding record retention will also vary by jurisdiction, and so companies operating in multiple jurisdictions may be subject to divergent regimes. For example, companies regulated by the UK Financial Conduct Authority (FCA) must comply with the Systems and Controls (SYSC) chapter of the FCA Handbook which effectively bans business from being conducted on private devices. The FCA has demonstrated its willingness to bring enforcement actions relating to these issues, including a recent fine levied on a former investment banker for sharing client confidential information over WhatsApp. Due to the complexity of this area, companies should consult counsel in assessing applicable retention obligations.
Put in place appropriate data retention controls
Once applicable legal retention obligations have been identified, a company should consider how to put in place data retention controls that appropriately conform to these obligations and that account for each of the platforms which employees are permitted to utilize. Given the evolving nature of communication technologies, where various tools and software can be used for a wide variety of purposes and the lines between “personal” and “business” can easily blur, companies will have to make risk-based decisions on an ongoing basis as to whether and how to allow new technologies for business purposes while complying with their obligations under the law. Moreover, in an era of mounting risks of data breaches and new data privacy regimes, such as the EU’s General Data Protection Regulation (GDPR), companies should also consider when limited communication retention may be beneficial and, in some instances, mandatory.
Practical considerations may include:
• which communications software and applications should be permitted;
• which employees should be allowed to use specific communications software and applications;
• when and for what purpose specific communications software and applications may be used;
• what content can be transmitted or communicated over specific communications software and applications;
• whether retention policies should differ for different communication mediums; and
• whether it is feasible and appropriate to implement methods to back up or retain data transmitted over otherwise ephemeral communications software and applications.
Training and keeping policies up to date
Companies should also consider how to best ensure that policies are current and updated on a regular basis, that employees are properly trained and that solutions are put in place to guarantee compliance with these policies, including:
• where feasible and appropriate, implementing methods to monitor the use of specific communications software and applications (e.g., such as tracking and/or blocking installation of specific communications software and applications on company devices);
• where feasible and appropriate, implementing methods to monitor the content transmitted over specific communications software and applications;
• obtaining employee consents to monitor, preserve, and/or collect necessary data; and
• establishing disciplinary measures for failures to comply with relevant policies.