Last month, the U.S. Environmental Protection Agency (“EPA”) launched its new eDisclosure Portal for electronic self-disclosures of violations made under the Audit Policy and the Small Business Compliance Policy (collectively, the “self-disclosure policies”).1 Over the last several years, EPA has been reviewing the utility and functionality of the self-disclosure program. The Agency has faced challenges in managing the substantial number of self-disclosures it receives, taxing EPA resources and leading to long delays in resolution. The automated eDisclosure system is intended to enable prompt resolution of relatively routine self-disclosures. For such disclosures – primarily those related to violations of the Emergency Planning and Community Right-to-Know Act (“EPCRA”) (i.e.,largely record-keeping and reporting violations) – the new system offers a promising means of quickly and effectively resolving outstanding compliance matters. However, the new system does not appear to provide similar resolution or certainty with regard to the disclosure of other types of violations, including those with the most potential for environmental harm (and, hence, potential penalties in an enforcement matter). As always, companies need to use care before utilizing the new system or turning over compliance information to regulators.
Background on EPA’s Self-Disclosure Policies
Issued in 2000, EPA’s policy titled “Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations” (the “Audit Policy”) encourages companies to voluntarily discover potential violations through self-auditing, disclose them to the EPA, promptly correct them, and prevent their future recurrence. In exchange, companies receive a reduction or elimination of civil penalties and a determination by EPA not to recommend criminal prosecution to the U.S. Department of Justice.
Over the last few years, the policy had fallen into disfavor with the agency, as most disclosures involved relatively minor reporting violations that consumed a significant amount of EPA staff time to address and resolve. The new policy creates a simplified electronic method for accommodating the minor reporting violations with minimum EPA staff input, but still allows for disclosures of other violations, thereby re-invigorating the audit policy that has served the regulated community well for over 15 years.
There are nine conditions for penalty mitigation, which remain unchanged by the launch of the eDisclosure Portal: (1) systematic discovery through an internal or external audit or compliance management program; (2) voluntary discovery of the violation; (3) prompt disclosure to EPA within 21 days of discovery; (4) independent discovery and disclosure; (5) correction and remediation within 60 days from the date of discovery; (6) prevention of recurrence of the violation; (7) the violations are not repeat violations; (8) the violations do not result in serious actual harm, an imminent and substantial endangerment, and do not violate an administrative or judicial order or consent agreement; and (9) cooperation by the disclosing entity.
Self-disclosures made under EPA’s Small Business Compliance Policy, for companies with 100 or fewer employees, also will be accepted through the eDisclosure system. The Small Business Compliance Policy gives businesses longer deadlines for addressing violations.
For companies wishing to utilize EPA’s “New Owner Policy” (“Interim Approach to Applying the Audit Policy to New Owners”), which encourages new owners of facilities to assess potential violations and address environmental noncompliance that began prior to acquisition by offering additional penalty mitigation, the Agency will continue to accept disclosures outside of the eDisclosure system. While “new owners” can make self-reports through the eDisclosure Portal, such disclosures will not be eligible for the penalty mitigation benefits of the New Owner Policy. In addition, eDisclosure will not handle pre-existing disclosures through the new system.
How the eDisclosure Portal Works
Companies that wish to use the eDisclosure system must register with EPA’s Central Data Exchange (“CDX”) system. Existing CDX registrants already identity-proofed under the Cross-Media Electronic Reporting and Recordkeeping Rule (“CROMERR”) need not re-register.
EPA has developed two categories of violations. Category 1 violations include violations of EPCRA that meet all conditions of the Audit Policy or Small Business Compliance Policy. Category 1 does not include Comprehensive Environmental Response, Compensation, and Liability Act (“CERCLA”) section 103 or EPCRA section 304 chemical release reporting violations, or EPCRA violations that resulted in significant economic benefit to the company. Category 2 violations include all non-EPCRA violations, EPCRA violations where the discloser did not discover the violation systematically, and EPCRA/CERCLA violations excluded from Category 1. As the eDisclosure system develops, EPA may expand the types of violations that fall under Category 1.
After receiving a Category 1 disclosure, eDisclosure automatically will issue an electronic Notice of Determination (“eNOD”) confirming that the violations are resolved with no assessment of civil penalties (as long as the disclosure is complete and accurate). After receiving a Category 2 disclosure, eDisclosure automatically will issue an Acknowledgement Letter noting receipt and stating that EPA will make a determination as to eligibility if and when it considers taking enforcement action for environmental violations.
The treatment of Category 2 disclosures is significant, as submitters will not receive any form of resolution of the disclosed matter unless and until EPA pursues enforcement against the facility. Accordingly, while a Category 2 disclosure may help soften the blow of a future enforcement action, the new system does not provide the comfort or certainty available under the prior system from “closing the books” on such matters.
Consistent with the Audit Policy, violations must be disclosed within 21 calendar days of discovery (or by the next business day if that 21st day falls on a weekend or federal holiday). Companies also can submit disclosures of potential violations to give them more time to determine whether the violation actually occurred.
Correction of disclosed violations is subject to a somewhat more rigorous schedule under the eDisclosure system. While the Audit Policy prescribes 60 days to correct disclosed violations, there was flexibility to negotiate appropriate time periods to complete remedial actions for more complex matters. In contrast, under eDisclosure, companies must submit a Compliance Certification 60 days following an Audit Policy Disclosure, or 90 days following a Small Business Compliance Policy disclosure. Category 1 submitters cannot ask for any extensions on the violation correction deadline or the Compliance Certification deadline. If such an extension is necessary, the submission will be treated as a Category 2 disclosure. Category 2 submitters under the Audit Policy can request an extension of the violation correction of up to 30 days without explanation, or can request a longer extension (up to 180 days following the date of discovery) if they provide an explanation. Category 2 submitters under the Small Business Compliance Policy can request an extension of the violation correction of up to 90 days without explanation, or can request a longer extension (up to 360 days following the date of discovery) if they provide an explanation based on the time needed to correct the violation by putting into place pollution prevention measures. The eDisclosure system automatically extends the deadline, but the request is not considered officially granted or denied at the time of the request.
The Compliance Certification should identify the specific violations, certify that they have been corrected, and certify that the self-disclosure policy conditions have been met. Disclosures will be considered withdrawn if: (1) the submitter withdraws it before submitting the Compliance Certification; (2) does not timely submit the Compliance Certification; or (3) submits a Compliance Certification that does not meet the conditions of the self-disclosure policies. In the case of withdrawal, eDisclosure will record the submission, notify the submitter that EPA will retain the records, and will send the submitter a notice that the disclosure does not qualify for penalty mitigation under the self-disclosure policies.
Entities with pre-existing unresolved Category 1 violations can resubmit the disclosures through the eDisclosure process (including Compliance Certification) within 120 days of the Portal’s launch. These disclosures are not eligible for an extension. Pre-existing disclosures subject to audit agreements will be resolved outside of eDisclosure through a Notice of Determination, Consent Agreement and Final Order, or Consent Decree. Other pre-existing disclosures not falling under one of these two groups will be treated as Category 2 disclosures.
EPA will conduct spot-checks on the submissions. In reviewing Category 1 submissions, it will look for conformity with EPCRA, the self-disclosure policies, and the eDisclosure requirements. In reviewing Category 2 submissions, EPA will look for significant concerns like criminal conduct and potential imminent hazards.
EPA intends to make publicly available eNODs issued for Category 1 releases. This is consistent with EPA’s policy that resolved disclosures are publicly releasable in response to a Freedom of Information Act request, and because the eDisclosure system cannot process confidential business information (“CBI”). Therefore, reports should be scrubbed for CBI information, and any follow-up CBI required to be submitted must be sent manually.
The eDisclosure system offers a promising means of resolving self-disclosures in an efficient manner, particularly for the most common types of disclosures involving Toxic Release Inventory and EPCRA “Tier 2” reporting violations. For other types of violations, however, the new system offers more limited benefits, particularly regarding the certainty of resolution, than under the prior Audit Policy approach.