The National Security Division (“NSD”) of the Department of Justice (“DOJ”) has issued a revised version of its voluntary self-disclosure policy for voluntary disclosures of willful violations of export control and sanctions laws. The “Export Control and Sanctions Enforcement Policy for Business Organizations” (“the VSD Policy”) supersedes NSD’s prior guidance issued in October 20161 and builds on recent enforcement and compliance guidance issued by DOJ and the Treasury Department, including updates to the FCPA Corporate Enforcement Policy.
The revised VSD Policy: (1) clarifies the benefits that are available to companies that voluntarily disclose a violation, fully cooperate with NSD, and timely and appropriately remediate; (2) clarifies that disclosures of potentially willful conduct made to regulatory agencies, and not to DOJ, will not qualify for the benefits provided in the policy; and (3) standardizes the definitions of “Voluntary Self-Disclosure,” “Full Cooperation,” and “Timely and Appropriate Remediation” to closely mirror those in the FCPA Corporate Enforcement Policy, see OMM Alert “DOJ Eases Requirements in Corporate Enforcement Policy Update.”
Overall, the revised VSD Policy reflects DOJ’s continued emphasis on corporate voluntary self-disclosure and rewards companies for doing so. At the same time, the VSD Policy, as well as other recent U.S. Government enforcement policies, signal the importance of strong corporate compliance programs to prevent and detect export control and sanctions violations in the first instance.
Presumption of Non-Prosecution Agreement and Lack of Fine
The VSD Policy revises the prior guidance to expressly create a presumption that a company will receive a non-prosecution agreement and, absent aggravating factors, will not pay a fine when the company: (1) voluntarily self-discloses export control or sanctions violations to DOJ, (2) fully cooperates, and (3) timely and appropriately remediates the underlying issues that led to the willful violations. (The VSD Policy’s presumption of a non-prosecution agreement is in contrast to the FCPA Corporate Enforcement Policy’s presumption of a declination of prosecution.)
The VSD Policy provides that if, due to aggravating factors, a different criminal resolution such as a deferred prosecution agreement or guilty plea is warranted then DOJ:
- Will recommend a fine that is at least 50% less than the amount that otherwise would be available. That is, the Department will cap the recommended fine at an amount equal to the gross gain or gross loss; and
- Will not require appointment of a monitor if a company has, at the time of resolution, implemented an effective compliance program.
Aggravating factors include:
- Exports of items controlled for nuclear nonproliferation or missile technology reasons to a proliferator country;
- Exports of items known to be used in the construction of weapons of mass destruction;
- Exports to a Foreign Terrorist Organization or Specially Designated Global Terrorist;
- Exports of military items to a hostile foreign power;
- Repeated violations, including similar administrative or criminal violations in the past; and
- Knowing involvement of upper management in the criminal conduct.
In both cases, however, the company will be required to pay all disgorgement, forfeiture, or restitution from the underlying misconduct.
Direct Reporting to DOJ
The VSD policy makes clear that when a company identifies potentially willful conduct but chooses to self-report only to a regulatory agency such as the Departments of Commerce, Treasury, and State, but not to DOJ, the company will not qualify for the benefits of the Policy in any subsequent DOJ investigation.
The VSD Policy updates the definitions of “Voluntary Self-Disclosure,” “Full Cooperation,” and “Timely and Appropriate Remediation” to more closely resemble guidance from other DOJ components.
Under the VSD Policy, “Voluntary Self-Disclosure” means:
- The company discloses the conduct to DOJ “prior to an imminent threat of disclosure or government investigation;”
- The company discloses the conduct to DOJ “within a reasonably prompt time after becoming aware of the offense,” with the burden on the company to demonstrate timeliness; and
- The company discloses all relevant facts known to it at the time of the disclosure, including as to any individuals substantially involved in or responsible for the misconduct at issue.
“Full Cooperation” means a company must take actions, including:
- Disclosure on a timely basis of all facts relevant to the wrongdoing at issue, even when not specifically asked to do so;
- Timely preservation, collection, and disclosure of relevant documents and information relating to their provenance, including (a) disclosure of overseas documents, the locations in which such documents were found, and who found the documents, (b) facilitation of third-party production of documents, and (c) where requested and appropriate, provision of translations of relevant documents in foreign languages; and
- When requested, making company officers and employees who possess relevant information available for interviews with DOJ.
“Timely and Appropriate Remediation” means:
- Demonstration of thorough analysis of causes of underlying conduct and remediation of the root causes;
- Implementation of an effective compliance program;
- Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred;
- Appropriate retention of business records, and prohibition of the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations; and
- Any additional steps that demonstrate recognition of the seriousness of the company’s misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risks.
Companies should consider these measures in parallel to OFAC’s compliance program expectations, articulated in A Framework for OFAC Compliance Commitments issued in May 2019. The key features of a sanctions compliance program are: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training. Management commitment means a culture of compliance that a company’s executives and board of directors articulate and implement. Key indicators of management’s commitment to compliance are the resources allocated to the sanctions compliance team and its independence and authority within the company. OFAC also advises companies to “conduct a routine, and if appropriate, ongoing ‘risk assessment’” that analyzes the potential for sanctions risk to arise in dealings with customers, suppliers, intermediaries, and counterparties, as well as in potential targets for mergers and acquisitions. A company’s internal controls, including its written policies and procedures, should be based upon the risk assessment and tailored to the company’s specific risks. These policies and procedures should be audited and tested at regular intervals for effectiveness. The company should also ensure that relevant internal personnel (and, as appropriate, other stakeholders) receive sanctions training on a periodic basis, commensurate with the company’s risk profile.