A closer look at the revised FCPA Corporate Enforcement Policy

On March 8, Assistant Attorney General Brian Benczkowski in remarks delivered at the ABA National Institute on White-Collar Crime Conference cryptically said the Justice Department was “currently in the process of updating the FCPA Corporate Enforcement Policy to bring it in line with current practice.” It was on that same day with little fanfare that a variety of revisions were made.

The original FCPA Corporate Enforcement Policy was implemented in November 2017 to give the compliance and legal community greater transparency and consistency around how the Criminal Division’s Fraud Section measures and credits voluntary self-disclosure, cooperation, and remediation efforts in criminal matters. The revised policy adds new language covering everything from self-disclosure and cooperation credit to its interactions with corporate counsel during internal investigations.

One of the more notable changes under the revised policy from a compliance standpoint pertains to the requirement concerning retention of business records. Under the original policy, demonstrating “appropriate retention of business records” included “prohibiting employees from using software that generates but does not appropriately retain business records or communications.”

This provision, which effectively put a blanket ban on the use of all messaging platforms, was immediately and widely criticized by companies and the corporate defense bar as overbroad and unrealistic, especially for multinational companies operating in countries where messaging apps—such as the widespread use of WeChat in China and WhatsApp in Brazil—are routinely used for, and are an indispensable part of, legitimate business communications.

“A lot of companies didn’t have any policies addressing this,” says James Koukios, former senior deputy chief of the Fraud Section at the DOJ and now a partner at law firm Morrison Foerster. For companies that did have such policies in place, they were essentially loose policies that wouldn’t have stood up to the “very strict guidelines” that the Justice Department had outlined in the FCPA Corporate Enforcement Policy, he says.

“The broad takeaway is that people who are registered with the Commission—like investment advisors or broker dealers—probably need to stay away from ephemeral messaging apps right now.”

Shamoil Shipchandler, Partner, Jones Day

So, it’s with great relief that the revised policy softens the Justice Department’s stance on this restriction by acknowledging these concerns and, instead, calls on companies to implement “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.”

The revised policy effectively leaves it in the hands of companies to decide what communication avenues work best for their own operations. It also means, however, that compliance officers must carefully consider what policies and procedures need to be put in place to ensure the proper retention of business records to satisfy the Justice Department’s expectations.

Shamoil Shipchandler, a partner at law firm Jones Day, recommends that compliance officers consider the following measures:

• Ensure the company has a specific business justification for using ephemeral messaging platforms, taking into consideration the company’s legal and regulatory risks.
• Carefully craft written policies governing the use, safeguarding, and retention of ephemeral messaging, including clear guidance as to when the use of ephemeral messaging is appropriate (e.g., logistics purposes) and when it is not (e.g., substantive communications).
• If the company allows employees to use their own devices for business communications, carefully craft “Bring Your Own Device” policies that apply specifically to the use of ephemeral messaging.
• Provide regular training on the appropriate use of ephemeral messaging, and document that training.
• Periodically test and audit the use of ephemeral messaging.
• Discipline employees who violate company policies related to ephemeral messaging and record those disciplinary actions.

It’s also important to keep in mind that, while the Department of Justice acknowledges there are legitimate business purposes for using messaging apps, the Securities and Exchange Commission does not provide that carveout right now. In December 2018, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert in which it reminded advisors “to review their risks, practices, policies, and procedures regarding electronic messaging and to consider any improvements to their compliance programs that would help them comply with applicable regulatory requirements.”

To meet the record retention obligations under the books-and-records rule, the SEC recommended in that risk alert that advisers prohibit the business use of apps and other technologies that “can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up.”

Shipchandler, who is a former senior officer with the SEC, says the warning here is that SEC-registered broker-dealers and investment advisers should continue to practice great caution concerning the use of messaging apps. “While the risk alert is not a position statement by the Commission itself, it demonstrates how line examiners are going to be evaluating policies and procedures, especially around messaging apps,” he says. “The broad takeaway is that people who are registered with the Commission—like investment advisors or broker dealers—probably need to stay away from ephemeral messaging apps right now.”

M&A due diligence

A second notable revision in the policy memorializes the agency’s earlier position concerning cooperation credit in the context of mergers and acquisitions. While companies have always known they can engage with the Justice Department concerning potential successor liability issues, the benefits were never formally stated.

The new policy now clearly states that “there will be a presumption of a declination” where a company undertakes a merger or acquisition and uncovers misconduct “through thorough and timely due diligence or, in appropriate instances, through post-acquisition audits or compliance integration efforts, and voluntarily self-discloses the misconduct and otherwise takes action consistent with this policy (including, among other requirements, the timely implementation of an effective compliance program at the merged or acquired entity).”

In an additional footnote, the Justice Department added, “in appropriate cases, an acquiring company that discloses misconduct may be eligible for a declination, even if aggravating circumstances existed as to the acquired entity.”

The policy change reflects remarks made in July 2018 by Deputy Assistant Attorney General Matthew Miner, announcing the agency’s intent to apply the principles contained in the FCPA Corporate Enforcement Policy to successor companies that disclose wrongdoing uncovered in connection with mergers and acquisitions. “We believe this approach provides companies and their advisors greater certainty when deciding whether to go forward with a foreign acquisition or merger, as well as in determining how to approach wrongdoing discovered subsequent to a deal,” he said.

In a third change to the policy, new language has been added that now states that, to receive credit for voluntary self-disclosure in FCPA matters, a company must disclose “all relevant facts known to it, including all relevant facts about individuals substantially involved in or responsible for the violation of law.” This revision was made simply to harmonize the Corporate Enforcement Policy with language that previously had been added to the Yates Memo in November 2018.

“[W]e now make clear that investigations should not be delayed merely to collect information about individuals whose involvement was not substantial, and who are not likely to be prosecuted,” Deputy Attorney General Rod Rosenstein said when he first unveiled the changes in the Yates Memo.

At a high level, anytime the Department of Justice is responsive to comments and criticism from the business community and shows a willingness to refine its policies where practical and appropriate, that’s always a welcome development for the legal and compliance community.