Compliance officers should carefully consider a change in FCPA enforcement policy from the Justice Department that gives companies more discretion in how employees can handle business communications — discretion that, in practice, may be more trouble than it’s worth.
The shift applies to so-called “ephemeral communications” that people might send via Snapchat, Confide, or other apps, where the message disappears shortly after the recipient reads it. Such apps are popular, because they provide extra privacy to communication: no permanent record of the conversation survives. Alas, they also run directly counter to business record-keeping requirements, creating a dilemma for anyone investigating allegations of employee misconduct.
Until this month, the Justice Department solved that problem with a clear rule: any company under investigation for misconduct and seeking cooperation credit must “prohibit employees from using software that generates but does not appropriately retain business records or communications.”
Prohibit, period. Regardless of how difficult that goal might be to achieve in practice, it was clear.
On March 8, the Justice Department amended its policy to be more flexible. Companies don’t need to prohibit ephemeral communications outright if they want to secure cooperation credit. The new standard is only that companies “implement appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.”
In other words, the Justice Department has given companies more discretion in how they govern employees’ use of disappearing communications. Now the challenge is how to exercise that discretion wisely.
Policy Management Implications
Clearly companies should adopt some type of written policy about the issue. The Justice Department plainly states that companies should “implement appropriate guidance” on how employees should behave. That’s a policy. Verbal policies quickly become corporate folklore open to subjective interpretation. Written policies are the cure here.
Each company needs to decide for itself what that policy should be. Compliance and legal departments will need to consider questions such as:
- How do employees typically communicate among their peers? Especially in emerging markets with authoritarian governments, use of disappearing messages is common.
- Does the company have any contractual obligations for business record-keeping? For example, is it a government contractor that might be subject to open record laws?
- How could disappearing messages figure into civil litigation? Imagine, for example, that your company is defendant in an intellectual property theft lawsuit — and a jury hears that your employees use disappearing messages all the time.
- Should different policies apply to different employees? That is, even if colleagues SnapChat among themselves, should a general manager be allowed to send disappearing messages to the pretty young intern?
Investment firms regulated by the Securities & Exchange Commission raise another point: the SEC hasn’t changed its stance that investment firms must ban ephemeral communications among employees. For that group, the Justice Department’s policy change is irrelevant. Other firms regulated by other agencies should check whether they’re in a similar situation.
Companies will need to understand the business purpose of different types of employee communications; and then decide whether those purposes are subject to enough regulatory or compliance risks that extra record-keeping policies and controls are necessary.
That is, nobody cares if employees send Snapchats about the corporate cafeteria menu. Disappearing messages about new hires, sales rebates for customers that are government agencies, or exception requests for facilitation payments — those are another matter, where the company might want to prohibit disappearing messages for such sensitive subjects. Some companies might decide to err on the side of simplicity and keep a ban on ephemeral communications anyway.
Whatever policy the company does adopt, then comes all the usual steps, like any other policy: provide training, audit effectiveness of the policy and accompanying controls, discipline non-compliant employees. Document all those steps.
The bottom line is that the Justice Department is giving companies the ability to exercise judgment over their own policies and internal controls. By implication, however, that means companies must exercise judgment about this potentially difficult workplace issue — and then be able to defend that judgment in hindsight.
Above all, however, do something. Otherwise the view in hindsight could be pretty unpleasant.