Black Logo

Our site uses cookies to give you the best user experience and to collect and share information for analytics, advertising and personalization on this and other sites. Please select whether you consent to our use of cookies and related technologies (“Cookies”), as described in our Cookie Policy. You can return at any time from the same web browser to update your preferences. Please note that resetting your browser’s cookies will reset your preferences. You can control the use of some types of cookies through the Cookie Settings below, but note that if you choose to disable certain cookies, it may limit your use of certain features or functions on our services and websites.

Privacy Policy
Strictly Necessary Cookies

These cookies are required to enable core site functionality.

Functionality Cookies

Functionality cookies allow us to provide enhanced and more personalized content and features. In order to permit your connection our website, our servers receive and record information about your computer and browser, potentially including your IP address, browser type, and other software or hardware information. All of these features help us to improve your visit and assist in navigation of the sites’ features.

Analytics Cookies

We and our service providers may use analytics cookies, which are sometimes called performance cookies, to collect information about your use of our website, for instance, which pages you go to most. The information allows us to see the overall patterns of usage, help us record any difficulties users may have while using our website and can show us whether or not our advertising is effective.

Advertising And Targeting Cookies

We may use third party advertising and targeting cookies to correlate your use of our website to personal information obtained about you so that we may more clearly target the information we provide you to the specific items we think you will find interesting, based on your prior online activities and preferences. We also may use these cookies to deliver ads that we believe are relevant to you and your interests.

For more information, view our Cookie Policy


Ephemeral messaging, FCPA, & the DOJ: Three things lawyers & compliance officers need to know

Legility , Sarah Brown 04 / 30 / 19

In November of 2017, the Department of Justice modified its FCPA Corporate Enforcement Policy – the policy which guides compliance officers, corporate counsel, and internal auditors on compliance with the Foreign Corrupt Practices Act. The DOJ’s modification required companies subject to FCPA regulations to completely prohibit their employees from using ephemeral messaging – popular examples of which include WhatsApp, WeChat, Signal, Viber, and Snapchat..

This policy banned any company doing business across borders from using many popular platforms for communication without risking FCPA noncompliance; essentially limiting companies to conduct all communication through email and other standard forms of communication.

US Department of Justice updates ephemeral messaging policy

In March of this year, the DOJ updated their messaging app policy to refine their earlier prohibition. Now, companies are no longer expected to prohibit employees from using ephemeral messaging, but instead requires them to implement appropriate guidance and controls over these types of platforms and communications.

Specifically, the revisions state that for a company to receive full credit for timely and appropriate remediation, the company is required to satisfy requirements including:

Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company's ability to appropriately retain business records or communications or otherwise comply with the company's document retention policies or legal obligations.



Essentially, the DOJ lifted an outright ban and instead, put in place the requirement that companies must've adequate retention policies and appropriate controls to maintain compliance.

Who is affected by the DOJ FCPA ephemeral messaging rule?

The cloud is simply a data center – containing varying levels of hardware and software, housing variable amounts of data – all accessible via secure logins via the internet. That’s it.

This new rule modification – like the original policy from 2017 – applies to any company with an FCPA policy or potentially at risk for FCPA violations. This means that any company doing business internationally should ensure compliance with the new policy. Some industries, however, face more FCPA scrutiny than others: Namely, manufacturing, mining, energy / oil & gas, pharmaceuticals, and of course any company doing business in any country that rates highly on the corruption index.

What do lawyers need to know?

The DOJ’s swiftly evolving sophistication on this subject means that it’s no longer acceptable to claim ignorance – no compliance officer or corporate counsel can now expect to say, “We don’t know how to deal with WhatsApp!” Savvy lawyers, compliance officers, and auditors must ensure their companies or clients ave policies in place to deal with these types of communication.

  • Carefully consider your BYOD policies:When employees bring their personal phones into the workplace, mixing personal and business communications, data privacy issues can complicate compliance with retention policies around ephemeral messaging. When working in particularly high-risk areas, such as companies doing business in high-risk regions, or positions at higher risk such as procurement, supply chain, or employees with frequent government touch points, consider banning personal devices for work purposes outright. Ultimately, it’s cheaper for companies to provide phones for all these employees than later dealing with discovering data from a personal device when facing an FCPA investigation.
  • Restrict use of messaging apps for business communication:If your business uses any messaging apps for business communication, restrict the use of such apps to devices that the company owns, or can control and review.
  • Review data privacy policies and procedures: Ensure all business communications within a messaging app can be reviewed without violating an employee’s right to privacy on personal devices. This is especially important in jurisdictions with heightened data privacy regulations such as Europe, which is subject to the General Data Protection Regulation (GDPR). Refer again to No. 1 – it may be cheaper for compliance purposes to provide company-owned devices than risk potential FCPA violations coupled with GDPR sanctions – and potential additional sanctions should relevant communication that took place on ephemeral messaging apps ultimately be unrecoverable.

What’s clear is that there is now an onus on companies to have awareness of what’s going on with ephemeral messaging apps – companies must include these data types in their FCPA audits, compliance policies, and any data collections and discovery requests, or risk exposure to fines, sanctions, regulatory action, and reputational damage.

See how agile for legal can work for your next review project.

About the author


Legility, a leading provider of technology-enabled legal services, provides consulting, technology, managed solutions, and flexible legal talent to corporations and law firms. The company has more than 1,000 lawyers, engineers, consultants, technology and data specialists, and operational experts serving more than one-third of the Fortune 100 and one-quarter of the Am Law 200. Legility helps its clients improve operational efficiency. By combining people, processes, and technology, Legility offers innovative and bundled solutions that align with how the legal market is increasingly looking to engage.

Subscribe to Insights

Your one-stop shop for the Legility logo & more.

Your one-stop shop for the Legility logo, brand guidelines, photography assets, and more.

Subscribe to insights