With the rollout of its updated FCPA Corporate Enforcement Policy (Policy), the Department of Justice is signaling to companies that it’s time to get the message: literally. The revised Policy (effective March 12, 2019) embraces much of what top DOJ brass have remarked about over the last year, and particularly addresses companies’ obligations for preserving ephemeral, or disappearing, communications (think: Skype, Slack, WhatsApp) as part of their records. Although this particular revision lifts what amounted to an effective ban on use of these messaging platforms, whether in-house compliance regimes can account for these types of records remains to be seen.
In 2017, in recognition of the “unique issues presented in FCPA matters,” DOJ established the Policy, which rewards companies that self-disclose FCPA misconduct, fully cooperate with investigatory efforts and timely remediate, with a presumed declination of criminal prosecution (or, where aggravating circumstances are present, a 50% reduction off the sentencing guidelines fine range).[1]
The Policy’s overarching criteria—self-disclosure, cooperation and remediation—are given definition through the Policy’s standards for satisfying each. Now, almost two years after the Policy was first incorporated into the Justice Manual, DOJ’s updates to the Policy offer refinement and relaxation of certain of these standards. Here are the key takeaways:
- Guiding and Controlling the Use of Messaging Apps: Record preservation is one of the hallmarks of FCPA compliance. But with the proliferation of smart phones and instant messaging applications, records are taking form in ways not typically contemplated by traditional record retention policies. Before this update, the Policy effectively precluded businesses from using “software that generates but does not appropriately retain business records or communications”—e.g., apps like WhatsApp that offer ephemeral messaging capabilities. The updated Policy lifts the outright prohibition, instead signaling that companies should implement guidance on how and in what digital form their personnel may communicate, and establish controls that ensure these methods of communication “do not undermine” their abilities to retain business records. Takeaway: Since, in some regions, use of instant messaging apps is a ubiquitous component of business communication, a full-stop restriction on such use may be neither practical nor likely to satisfy this standard. Companies will need to work closely with their Information Technology teams to revise policies and adopt practices that preserve instant messages and create permanency for otherwise ephemeral messages, where possible.
- Disclosing the Important Players: DOJ, presumably having recognized that supplying it with all facts about all persons involved in an FCPA violation was both burdensome to companies and the Department, has refined this disclosure requirement in its updated Policy: companies must now disclose all relevant facts about all individuals “substantially involved or responsible for the violation of law.” Takeaway: In practice, businesses should still undertake to identify all relevant facts about all individuals involved in an FCPA violation—regardless of their prominence in the violation. But now, when a company fails to disclose facts about an individual that played a minor role in the violation, that failure is not likely to jeopardize the company’s entitlement to credit for voluntary self-disclosure under the Policy.
- M&A Deals Get the Declination Deal: Appreciating that FCPA liability may chill productive mergers and acquisitions, DOJ has now officially extended the right to a declination to companies that, in the process of merging with or acquiring another business, uncover FCPA violations and voluntarily disclose them. Takeaway: For transactions where the companies involved have international components, thorough FCPA due diligence is a critical step toward receiving a declination under the Policy. Since due diligence does not always turn up liabilities, and because DOJ’s new standard credits post-acquisition efforts to ferret out any FCPA violations that went undetected, post-transaction risk assessments should be part of all companies’ standard post-closing practices.
- Working with the DOJ: In some instances, DOJ will request that companies defer their internal investigative efforts so they do not conflict with the Department’s investigation (“de-confliction”). These requests happen in limited circumstances, and are intended only to last for the period necessary to avoid conflicting investigations. The updated Policy now includes a footnote clarifying that, though the DOJ may request de-confliction, it will not attempt to direct companies’ internal investigations. Takeaway: Companies should proceed with whatever internal investigations they deem necessary and appropriate, but be prepared to adjust internal efforts when requested by DOJ. Transparent communication with DOJ about an internal investigation can help avoid requests for de-confliction in the first instance.
Bottom line: The revised Policy offers businesses and their compliance departments the opportunity to revisit whether their compliance regimes align with the Policy’s criteria and standards. Annual risk assessments and compliance reviews promote business practices that adhere to the FCPA and enable a quick and effective response when misconduct is detected. The Policy’s most pressing takeaway is that specific attention should be paid to how personnel use messaging apps for business communications, and whether these communications are capable of record retention.
- U.S. Department of Justice, Justice Manual, 9-47.120, FCPA Corporate Enforcement Policy (2019). Unless otherwise cited, all quotations are to the Policy.
[Back to reference]