FCPA Corporate Enforcement Policy Update: DOJ Introduces New Compliance Requirements for Companies Using Instant Messaging Platforms
On March 12, 2019, the United States Department of Justice (the “DOJ”) revised key provisions of the FCPA Corporate Enforcement Policy (the “Policy”). The revisions formalize several of the DOJ’s remarks and announcements since the Policy was adopted, and relaxed and clarified several criteria for self-disclosure, cooperation, and remediation. Most notably, the revisions soften the Policy’s original restriction against use of instant and ephemeral messaging services and platforms for business communications, instead adding a focus on “appropriate guidance and controls” to ensure retention of business records.
Key Policy Revisions
The Policy, first announced by Deputy Attorney General Rod Rosenstein in November 2017, updated and formalized the DOJ’s criteria for evaluating and rewarding corporate cooperation and self-disclosure in FCPA cases.1 The Policy provided a “presumption” that the DOJ will decline to prosecute a company if the company satisfies the standards set forth for voluntary self-disclosure, full cooperation, and timely and appropriate remediation (or a 50% reduction off the sentencing guidelines where the criteria for a declination are met, but where aggravating circumstances are present).2 The Policy set forth guidelines for fulfilling the self-disclosure, cooperation, and remediation factors, which is intended to encourage companies to take active steps to self-report misconduct and address compliance shortcomings.
The March 2019 revisions to the Policy further clarify the DOJ’s expectations for securing credit. The revisions incorporated two remarks made by DOJ officials since the Policy was initially adopted, while also adding two new changes to the Policy’s guidelines:
- Disclosure Regarding Responsible Individuals: As Rosenstein originally remarked in a November 2018 speech, the DOJ softened its prior demands for companies to provide all relevant facts on individuals “involved” in FCPA violations. Instead, the Policy now allows full cooperation credit for companies who disclose relevant facts about individuals “substantially involved in or responsible for” the violations.3
- Credit in Mergers and Acquisitions Context: Also foreshadowed in a July 2018 speech given by the DOJ Criminal Division Deputy Assistant Attorney General Matt Miner, the Policy now clearly provides cooperation credit in the M&A context—including a declination to prosecute for post-acquisition misconduct—if an acquirer conducts appropriate due diligence and promptly self-discloses any uncovered misconduct to the DOJ and otherwise complies with the Policy on cooperation and remediation.4
- Additional De-confliction Guidance: As a new change, the DOJ added a footnote to the Policy to emphasize that, while it may make requests for de-confliction5 purposes, it “will not take any steps to affirmatively direct a company’s internal investigation efforts.”6
- Refocusing on Business Records and Communications: Also a new and notable change, companies are required to retain business records, prohibit “the improper destruction or deletion of business records,” and implement “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.”7
Revision to the Business Records and Communication Requirement
The revision to the business records and communication requirement is particularly notable. The original Policy required that companies prohibit use of “software that generates but does not appropriately retain business records or communications” to secure full cooperation credit. Many interpreted this prohibition to mean banning use of messaging apps, like WhatsApp, WeChat, Line, KakaoTalk, and Skype, which were ephemeral and/or outside the company’s communications records ecosystem. In practice, because these messaging apps constitute such a prevalent and indispensable component of business, this requirement would have effectively prevented many companies from earning full cooperation credit under the Policy. However, there is no indication that the DOJ enforced this requirement. Since the Policy was adopted in 2017, no public resolution has cited a company’s prohibition on software as a remediation factor considered by the DOJ.
The revised Policy instead focuses on “improper destruction or deletion” of records and introducing compliance requirements on “appropriate guidance and controls” over such communications. The change can be significant for companies doing business in markets where such communications apps are ubiquitous and routinely used between business contacts. In China, for instance, use of WeChat for business communications is practically universal; the same is true for KakaoTalk in South Korea and Line in Japan. The DOJ’s revised requirements signal the need for companies to consider their approach towards communications recordkeeping and retention.
What Impact Will This Have?
Overall, the Policy revisions reflect the DOJ’s revisiting the Policy requirements with a lens towards practicality. The revisions also lend more room for DOJ attorneys to evaluate each case’s particular facts and circumstances in making a decision towards declination. Regardless of what the specific changes entail, they signal the DOJ’s continued interest in encouraging companies to self-disclose, cooperate, and remediate.
In response to the revisions, companies may want to consider the following:
- With the revisions to the business records and communication requirements, it will be important to establish appropriate policies, IT systems, and controls around communication devices, tools, and applications. A key challenge will be striking the right balance between fulfilling the new Policy requirements with the practicalities of how business communications are carried out in different geographic markets.
- While the DOJ has emphasized it will not direct companies on how to conduct internal investigations, appropriate communication and coordination with the DOJ is still important to ensure de-confliction issues are appropriately addressed in the course of the internal investigation.
- Following these formal revisions to the Policy, it will be revealing to see how these issues are reflected in newly published DOJ corporate settlements (both FCPA and other corporate resolutions).
- Irrespective of the revised language, the DOJ has not changed its continued focus on individual culpability. Companies considering self-disclosure will still need to think carefully about taking necessary steps to investigate, identify, and self-report evidence implicating individuals substantially involved in the misconduct.
1 However, the DOJ has stated that the principles of the Policy will also serve as guidance in the prosecution of non-FCPA cases.
2 Press Release, DOJ, Remarks of Deputy Attorney General Rod Rosenstein at 34th International Conference on the Foreign Corrupt Practices Act (Nov. 29, 2017), https://www.justice.gov/opa/speech/deputy-attorney-general-rosenstein-delivers-remarks-34th-international-conference-foreign.
3 DOJ, Justice Manual, 9-47.120, FCPA Corporate Enforcement Policy (2019) (emphasis added).
5 The DOJ may request that a company defer investigative steps like employee and third-party interviews for a limited period of time to avoid a potential conflict with the DOJ’s investigation. The Policy refers to this as “de-confliction.”
6 Justice Manual, supra note 3.
7 Justice Manual, supra note 3.