On Dec. 13, 2019, the National Security Division (“NSD”) of the U.S. Department of Justice (“DOJ”) issued a revised policy, titled the Export Control and Sanctions Enforcement Policy for Business Organizations (“Revised Policy”), which expands protections for companies that voluntarily self-disclose export control and sanctions violations to the NSD’s Counterintelligence and Export Control Section. Under the Revised Policy, there will be a presumption against a fine and in favor of a non-prosecution agreement (“NPA”) to companies who voluntarily disclose the violation, fully cooperate with the NSD, and timely and appropriately remediate any underlying causes. The Revised Policy provides greater clarity for companies considering making voluntary disclosures, with the hope of encouraging more companies to self-report. In addition, the Revised Policy will cover financial institutions, which were previously excluded.
Summary of the Revised Policy
In order for a business organization to qualify for the presumption against imposing a fine and for an NPA, companies must submit a voluntary self-disclosure to DOJ. To qualify, the disclosure must (1) be made prior to an imminent threat of disclosure or government investigation; (2) be made at a reasonably prompt time after becoming aware of the offense; and (3) include all relevant facts known to the company at the time, including any individuals substantially involved in, or responsible for, the misconduct.
The Revised Policy makes clear that if a company chooses only to self-report to a regulatory agency and not to DOJ, the company will not qualify for the benefits of a voluntary self-disclosure from DOJ.
Companies must also fully cooperate with the NSD in order to qualify for the presumption. In order to receive credit for full cooperation the company must (1) timely disclose all facts relevant to the wrongdoing, including attribution of facts to specific sources; (2) engage in proactive, rather than reactive, cooperation; (3) timely preserve, collect, and disclose relevant documents, including overseas documents; (4) when requested, defer interviewing witnesses until DOJ has had an opportunity to do so; and (5) endeavor to make witnesses with relevant knowledge available for DOJ to interview.
The Revised Policy highlights DOJ’s continued commitment to the principle that eligibility for cooperation credit will not be predicated on waiver of the attorney-client or work product privileges. The Revised Policy also explicitly addresses situations where a company seeks credit for full cooperation, but overseas privacy statutes block disclosure of overseas documents relevant to the underlying issue. In such situations, the company will bear the burden of establishing the prohibition and must proactively seek ways it can legally provide the relevant information to DOJ.
Companies that fail to meet all of the foregoing criteria of “full cooperation” may still be eligible for some cooperation credit if they provide all relevant information related to individual accountability. Ultimately, the extent of any cooperation credit will depend on the extent of the company’s cooperation.
In order for a company to receive full credit for remediation under the Revised Policy, a company must (1) demonstrate a thorough analysis of the root causes of the misconduct and implementation of remediation to address the root causes of the failure; (2) implement an effective compliance program; (3) appropriately discipline employees and supervisors responsible for the misconduct; (4) appropriately retain business records, and implement guidance and controls regarding the use of personal communications and “ephemeral messaging platforms”; and (5) take additional steps designed to demonstrate the company’s recognition of the seriousness of the misconduct, accept responsibility for the misconduct, and reduce repetition of the misconduct.
The Revised Policy sets forth a list of non-exhaustive factors that indicate an effective compliance program, which are similar to the factors set forth in DOJ’s “FCPA Corporate Enforcement Policy” and consistent with the U.S. Department of the Treasury’s “A Framework for OFAC Compliance Commitments.” The hallmarks of an effective compliance program include establishing a culture of compliance; allocating adequate resources to the compliance function; hiring quality and experienced compliance personnel; providing authority and independence to the compliance function; performing an effective risk assessment and audit; appropriately compensating and promoting personnel in the compliance function; and implementing an effective reporting structure within the company.
Companies will not be afforded the presumption against imposing a fine and in favor of a non-prosecution agreement if certain aggravating factors are present. DOJ has identified a non-exhaustive list of these factors, which include, among others, (1) exporting items controlled for reasons of nuclear nonproliferation or missile technology to countries known to be nuclear proliferators, (2) exporting items used in the construction of weapons of mass destruction, (3) exporting items to a Specially Designated Global Terrorist or Foreign Terrorist Organization, (4) exporting military items to a hostile country, (5) violating export controls or sanctions requirements repeatedly or (6) the knowing involvement of an organization’s upper management in criminal conduct.
If aggravating factors are present, but the company has otherwise satisfied the requirements of the Revised Policy, the company may face a different criminal resolution than companies who do not have any aggravating factors. While the company may, for example, still face a deferred prosecution agreement or guilty plea, the Revised Policy specifies that companies that voluntarily self-disclose, fully cooperate and timely remediate may receive a 50% or greater reduction in the fine that would otherwise be levied for the misconduct, and a commitment not to appoint an independent monitor if the company has an effective compliance program at the time of resolution.
This change in policy signifies a continued effort by the government to encourage voluntary self-disclosures by companies in the export control and sanctions context. The Revised Policy, which follows on the heels of, and parallels, DOJ’s FCPA cooperation policy, provides a clear roadmap for companies who are contemplating making a voluntary disclosure, setting forth what will be expected of them in order to receive full cooperation credit. The Revised Policy contemplates and addresses privilege issues, data privacy issues, and blocking statutes, all of which can be obstacles to cooperation by an otherwise willing company. In addition, the Revised Policy makes cooperation a particularly attractive option in situations where a company uncovers potentially willful violations at a company it has recently acquired. Further, the Revised Policy recognizes that there may be other relevant regulators and signals an intent of DOJ to coordinate with those other regulators to avoid piling on penalties.
The Revised Policy and its accompanying release announcement also indicate, however, an increased focus by DOJ in prosecuting willful sanctions violations, and the disclosures required in order to receive full cooperation credit are substantial. Among other things, companies that are contemplating making a voluntary self-disclosure are expected to make a determination as to the extent of any willfulness, and identify responsible employees and supervisors early in their analysis in order to take advantage of the cooperation guidance. To receive full credit, their obligations to cooperate and provide disclosures will extend far beyond the initial disclosure.
In sum, the Revised Policy provides greater clarity for companies evaluating voluntary self-disclosure, and for the first time permits financial institutions to seek cooperation credit. The decision as to whether, when, and to whom a voluntary self-disclosure should be made requires an informed case-by-case analysis.