The ‘WeChat Effect’: understanding the compliance risks of mobile messaging apps
February 2019 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
February 2019 Issue
Instant messaging apps such as WeChat, WhatsApp and QQ are having a profound impact on the way people communicate around the world. In Asia, where the adoption rate of such technologies has been nothing short of astounding, instant messages are already surpassing email as the primary mode of work communication. These mobile communication tools offer significant benefits, but they also open the door to serious compliance and regulatory risks, many of which have never been encountered previously. This article outlines the rapid rate of adoption of such apps, surveys the resulting risks, discusses the views of US regulators and explores practical ways that companies might mitigate these risks.
By the third quarter of 2018, there were 1.3 billion monthly active users of Facebook Messenger and 1.5 billion monthly active users of WhatsApp globally. WeChat, which is mostly used in China, has hit more than 1 billion active monthly users, most of whom have joined in the last seven years, according to Statista.
Employees are increasingly using these apps to communicate about business matters, creating serious compliance risks in at least four areas, as outlined below.
Data security. A company may spend millions to build a state-of-the-art network, yet employees repeatedly send sensitive and confidential business information over unsecure networks and personal messaging accounts. Among other things, this also means that when an employee leaves a company, he or she may take sensitive company data stored on his or her phone. He or she may also remain in work chat groups, and therefore may continue to be privy to messages containing proprietary information.
Off-the-book transactions. Many off-the-book transactions occur through mobile payments made on personal phones. This is particularly true in China, where cash is becoming obsolete, and WeChat is king.
Recordkeeping. Information transmitted via mobile messaging apps is hard to preserve and reproduce. For example, in China, the ‘M&A deal team’ is now a WeChat group, and deal documents are frequently exchanged via the app.
Audits and investigations. Key correspondence and evidence for conducting audits and internal investigations is now outside of the company’s reach unless voluntarily provided by an employee or third-party whistleblower.
To compound matters, many companies have bring your own device (BYOD) policies, meaning that mobile phones are not company property and cannot be copied without individual consent. As a result, often the most valuable sources of evidence in an internal investigation – messages transmitted over mobile messaging apps – are not available unless voluntarily provided.
The US regulator’s view
In November 2017, the US Department of Justice (DOJ) announced the FCPA Corporate Enforcement Policy, which extended and enhanced the FCPA Pilot Programme by permitting a company that voluntarily self-reports, cooperates and remediates to be eligible for a declination, unless certain aggravating circumstances exist. Notably, the policy appeared to include a serious caveat with respect to mobile messaging apps. As part of any declination-worthy remediation, a company must enact the “[a]ppropriate retention of business records, prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications”. In other words, the policy appears to suggest that a company that fails to enact a mobile messaging policy may forego a declination.
Then, in public remarks in March 2018, David Johnson, assistant chief of the DOJ Criminal Division’s Foreign Corrupt Practices Act (FCPA) unit, appeared to take a step further, encouraging companies to act now: “I would urge you to think of that right now, as opposed to having to deal with it in hindsight when records do not exist and you’re trying to make a pitch to the Department of Justice, or SEC or a foreign authority about why it’s not unreasonable [that certain records were not retained] … [Companies may consider] whether it makes sense for employees to be able to use those types of services and if so under what circumstances, and whether there need to be prophylactic measures or workarounds put in place consistent with the compliance policy.”
To date, the DOJ has not, however, provided guidance on the kinds of prophylactic measures or workarounds that are appropriate or practical.
Against this backdrop of uncertainty, below are seven practical steps companies may consider.
First, check and update internal policies to determine whether they explicitly address the use of instant messaging for company communications. If they do not, revise the policies or add an addendum that specifically addresses this issue. A blanket prohibition may not be necessary or practical, but certain communications should be strictly prohibited, for example sending company data or documents via WeChat.
Second, ensure that compliance training and materials appropriately address the use of mobile messaging apps.
Third, encourage employees to use corporate versions of messaging apps, such as Skype for Business, Enterprise WeChat, Google Hangout and Slack, which allow data to be preserved.
Fourth, consider issuing company mobile phones, containing pre-installed enterprise apps, to all employees, or at least a select group in higher risk positions.
Fifth, require employees to run redundant instances of mobile messaging apps on company servers in order to capture and retain communications. A small number of service providers have developed such software solutions, such as Actiance and Dynatrace.
Sixth, require employees to upload mobile messages to company servers on a regular basis, for example once a week. This could, for example, be part of the job description of a particular member of an M&A deal team.
Finally, during internal investigations, ask employees to provide any evidence they may have on WeChat or other messaging apps. In addition, add search terms referencing mobile messaging to any email review.
Dan Newcomb is of counsel, Brian Burke is a partner and Caitrin McKiernan is a senior associate at Shearman & Sterling. Mr Newcomb can be contacted on +1 (212) 848 4184 or by email: email@example.com. Mr Burke can be contacted on +1 (212) 848 7140 or by email: firstname.lastname@example.org. Ms McKiernan can be contacted on +852 2978 8048 or by email: email@example.com.
© Financier Worldwide
Dan Newcomb, Brian Burke and Caitrin McKiernan
Shearman & Sterling