On April 5, 2016, the US Department of Justice (DOJ) Fraud Section issued a nine-page memorandum describing a one-year pilot program designed to entice companies to voluntarily self-report FCPA violations and cooperate with the DOJ. The memorandum articulates, for the first time, precisely what the Fraud Section considers to be complete and voluntary self-disclosure, full cooperation and appropriate remediation of internal controls and compliance programs. Pursuant to the new pilot program, a company that satisfies these elements might receive such tangible benefits as up to a 50 percent reduction off the bottom of the fine range indicated by the US Sentencing Guidelines and/or avoidance of a compliance monitor (disgorgement of all ill-gotten gains will still be required). A declination of prosecution may also be in the cards; however, the seriousness of the offense will be considered. Examples of when a declination will likely not be warranted include: where senior management is involved in the misconduct, where the profits are significant in relation to the company’s size and wealth, where the company has a history of violations, and where a company has entered another resolution with the DOJ within the past five years. In contrast, a company that does not voluntarily self-disclose an FCPA violation but does fully cooperate will, under the pilot program, receive at most a 25 percent reduction off the fine range under the Sentencing Guidelines.
In addition to the pilot program, other components of the Fraud Section’s “enhanced FCPA enforcement strategy” touted in the memo are (1) an increase in FCPA enforcement resources, including a 50 percent increase in FCPA prosecutors, the hiring of special compliance counsel to assess compliance programs, and the establishment of three special units of the FBI to address bribery and corruption; and (2) strengthened international coordination among prosecutors of several countries. According to the DOJ, all of this is designed to promote greater accountability for individuals and companies that engage in corporate crime, and to “increase the Fraud Section’s ability to prosecute individual wrongdoers whose conduct might otherwise have gone undiscovered or been impossible to prove,” as announced in a September 9, 2015 Memorandum from Deputy Attorney General Sally Quillian Yates to all DOJ attorneys (the Yates Memo).
What does this new pilot program really mean for companies that may find themselves in the unenviable position of having discovered a potential FCPA violation by its officers, directors, employees or other agents? For years the DOJ has been saying that additional credit, beyond that which would be available under the Sentencing Guidelines, is available to companies that self-report, fully cooperate and remediate. Likewise, the DOJ has been emphasizing for years its crackdown on individuals; recall Eric Holder, circa 2010: “Let me be clear, prosecuting individuals is a cornerstone of our enforcement strategy because, as long as it remains a tactic, paying large monetary penalties cannot be viewed by the business community as merely ’the cost of doing business.’ The risk of heading to prison for bribery is real, from the boardroom to the warehouse.”
So what, if anything, is different today? For one thing, having greater clarity about what the DOJ expects from companies that wish to self-report, and what benefit they might receive for doing so, is always useful. But companies should remain mindful that once they embark on the journey of self-disclosure, they hand the ball to the government, which has complete discretion to decide not only the rules of the game, but also how long it will last, who will be invited to play, and when and how it will end.
Framework of the pilot program
To qualify for credit under the program—beyond that which may be available under the US Sentencing Guidelines—a company must satisfy three elements. First, the company must voluntarily self-report an FCPA violation to the Fraud Section in a timely manner. If disclosure is required by law, agreement, or contract, then it is not voluntary. Further, it will not be deemed voluntary if the government has already initiated an investigation, or if there is an imminent threat of disclosure. The company must disclose all relevant facts known to it concerning the wrongdoing at issue, including all facts related to the individuals involved.
Second, once disclosure occurs, the company must fully and continually cooperate. As described in the guidance, full cooperation essentially entails proactively revealing all relevant facts, above and beyond that which may be specifically requested by the government; preserving, collecting and producing evidence on a rolling basis, including from overseas locations; making officers and employees available; and providing regular updates. Moreover, not only will the Fraud Section expect a company to provide relevant facts held by third parties, regardless of form, source, employment status, or location (unless prohibited from surrendering by law), but it will expect a company to “identify opportunities for the government to obtain relevant evidence not in the company’s possession and not otherwise known to the government.” “All relevant facts” includes all facts learned in internal investigations—including individual names—as well as the source to which each piece of information is attributable. For documents or physical items, a full chain of custody must also be established. Throughout the guidance, the Fraud Section acknowledges the preservation of attorney-client and attorney work product privileges, but makes clear that these protections cannot be a wholesale basis for withholding relevant information. Claims that disclosures are prohibited by foreign law, or that the company has inadequate resources or finances to accomplish the work will be viewed with skepticism; the company bears the burden of proving not only that this is true, but must show that it is diligently working to find ways to accomplish cooperation despite these hindrances.
Third, to qualify for mitigation credit under the pilot program, a company that voluntarily self-reports and fully cooperates must also remediate any deficiencies in its internal controls or compliance programs. As described in this announcement, an effective compliance program must include the following elements, at a minimum:
- A strong culture of compliance with employee awareness at all levels
- Adequate resources devoted to the compliance function
- Qualified and experienced compliance personnel
- Compliance independence
- An existing risk assessment that formed the basis for the compliance program
- Compensation and promotion of compliance personnel equivalent to other employees
- Regular program audits to test effectiveness
- Compliance personnel reporting lines separate from business
- Appropriate employee discipline for those responsible for misconduct
- Other matters that show recognition of the seriousness of FCPA misconduct, acceptance of responsibility for a program, and measures to prevent repeated misconduct and to identify future risks
We note that consideration of these elements now, before an event occurs, can help a company avoid ending up in a disclosure situation, or if not, to at least minimize the risk and potential damage to the company if a government investigation (triggered by a self-disclosure or otherwise) ensues.
While the announcement of this pilot program provides some useful insight into the DOJ’s expectations regarding self-disclosure, cooperation and remediation, and does try to quantify the benefits a company can potentially hope to obtain if the DOJ is satisfied that it is has met the specified criteria, what effect the new pilot program will have on actual enforcement remains to be seen. Meanwhile, companies can and should plan for the possibility that an FCPA allegation may surface by putting in place measures to meet the DOJ’s expectations for an effective compliance program, and implementing appropriate risk mitigation strategies. By doing so, companies will be in a much better position if a potential violation is alleged.
Like cyber security, environmental risks and other contingencies, companies should have crisis management plans in place for FCPA risks, should have compliance programs tied to a relatively recent risk assessment, and should conduct audits of their programs to test for effectiveness. Further, when conducting investigations, both in-house and outside counsel must be mindful of how their investigative tactics and remedial measures may look to a prosecutor reviewing those steps in the future. While this new guidance is exacting, preparedness coupled with expectation-setting early on can help companies rapidly make informed self-disclosure decisions if an FCPA allegation arises.