As the United States recovers from the covid-19 pandemic, US federal courts have cautiously returned to in-person proceedings. The number of federal criminal cases, however, continued its decline in fiscal year 2021 to its lowest levels in at least a decade. The number of corporate criminal prosecutions, however, appears to be holding steady, if not increasing.
The Fraud Section of the Criminal Division of the US Department of Justice (DOJ), responsible for investigating and prosecuting complex white-collar crimes, reported a slight increase in the number of charges against individual corporate defendants – 333 individuals charged in 2021 versus 326 in 2020 – but a noticeable rise in convictions: more than a 50 per cent increase in individual convictions (329 individual convictions in 2021 compared to 213 in 2020) and almost double the number of convictions secured by trial (30 trial convictions in 2021 compared to 16 in 2020). Corporate resolutions slid from 13 corporate resolutions in 2020, which was just two shy of the 15 in 2019, to eight. This increase in individual convictions and decrease in corporate resolutions is consistent with an increased focus on individuals. As DOJ Deputy Attorney General Lisa Monaco stated in a keynote address on 28 October 2021, 'it is unambiguously this department's first priority in corporate criminal matters to prosecute the individuals who commit and profit from corporate malfeasance.'2
This shift in focus may be seen on the foreign bribery front. In April 2022, a jury found a former investment banker at the New York-headquartered global financial institution Goldman Sachs Group Inc guilty of conspiring to violate the Foreign Corrupt Practices Act (FCPA) as part of the 1Malaysia Development Berhad (1MDB) scandal. This followed an October 2020 US$2.9 billion deferred prosecution agreement (DPA) by Goldman Sachs and an accompanying guilty plea by its Malaysian subsidiary to conspiring to violate the FCPA as part of a coordinated resolution with authorities in the United States, United Kingdom, Singapore and elsewhere in connection with the 1MDB scandal. However, in fiscal year 2021, the number of criminal FCPA corporate resolutions dropped from eight such resolutions in fiscal year 2020 involving US$7.84 billion to three DPAs involving US$649 million. Similarly, the US Securities and Exchange Commission – the FCPA statute's civil enforcer – entered four settlements for FCPA violations. So, soon after a blockbuster fiscal year 2020 with US$2.79 billion in FCPA corporate penalties across 16 enforcement actions, fiscal year 2021 saw a new low in terms of US$259.5 million across six enforcement actions in FCPA monetary resolutions.
The focus on individual prosecutions can also be seen in the financial sector, where regulators and law enforcement continue traditional investigations into currency, commodities, interest rate, and futures market manipulation. In August 2021, a jury convicted two former Merrill Lynch traders of wire fraud and conspiracy to commit wire fraud in connection with their manipulation of the precious-metals futures market through 'spoof' orders – a practice made illegal by the 2010 Dodd–Frank Wall Street Reform and Consumer Protection Act. This followed a June 2019 US$25 million nonprosecution agreement (NPA) with Merrill Lynch Commodities Inc for spoofing conduct, and was the latest spoofing prosecution brought by the DOJ against individual traders to go to trial.3
Developments in cryptocurrency have also brought related fraudulent schemes. In September 2021, the self-proclaimed 'number one promoter' of cryptocurrency BitConnect pleaded guilty to participating in a cryptocurrency investment scheme that raised and defrauded investors of more than US$2 billion, which resulted in the US government's seizing and liquidating US$56 million, the largest single recovery in a cryptocurrency fraud matter at that time. In February 2022, the US government arrested two individuals alleged to have conspired to launder cryptocurrency stolen from Bitfinex, a virtual currency exchange, during a 2016 hack, and seized US$3.6 billion in cryptocurrency. This seizure was the largest financial seizure ever for the DOJ.
The prioritisation of individual prosecutions has not been without its risks to the DOJ. In January 2021, the Boeing Company entered a US$2.5 billion DPA for conspiracy to defraud the US Federal Aviation Administration in its evaluations of Boeing's 787 MAX aeroplane. In March 2022, however, a jury acquitted Boeing's former chief technical pilot on similar charges.
Another major development in the past year has been the Russian invasion of Ukraine in February 2022. In response, the DOJ launched Task Force KleptoCapture, an inter-agency task force dedicated to enforcing sweeping sanctions, export restrictions, and economic countermeasures against Russia. In recent years, the DOJ has pursued enforcement actions against a number of international financial institutions for the failure of anti-money laundering controls and for processing transactions on behalf of parties subject to US economic sanctions administered by the Office of Foreign Assets Control (OFAC) of the US Treasury Department.4 In April 2019, Standard Chartered paid US$1.1 billion to US and UK authorities and UniCredit paid US$1.3 billion to US authorities to resolve investigations into their compliance with US sanctions laws. In January 2021, the PT Bukit Muria Jaya, a cigarette paper products manufacturer located in Indonesia, entered into a US$1.5 million DPA with the DOJ and a parallel settlement with OFAC for the shipment of products to North Korea. The DOJ has seldom filed criminal charges against international financial institutions outside a settlement agreement, but in October 2019, the DOJ indicted Halkbank, the second-largest state-owned bank in Turkey, for helping Iran evade US sanctions in a criminal proceeding that Halkbank is contesting. The DOJ investigations in these actions have been conducted in conjunction with the New York County District Attorney's Office, OFAC and the US bank regulatory agencies, in addition to global regulators such as the UK Financial Conduct Authority. In January 2022, the case was stayed pending appeal to the US Supreme Court.
The statutes authorising these varied prosecutions represent just a sliver of the interlocking regulatory and legal regimes in the United States, in which companies must comply with numerous regulations and statutes or face criminal or civil sanctions. There is no shortage of regulatory agencies empowered to take action in the event of a compliance lapse. The most prominent of these include the DOJ, the SEC, the Internal Revenue Service (IRS), the Environmental Protection Agency (EPA), the CFTC, the US Departments of Commerce, Labor and the Treasury, the Federal Energy Regulatory Commission, the Occupational Safety and Health Administration and banking regulators such as the Federal Reserve and the New York State Department of Financial Services (DFS). Many of these agencies are empowered to commence formal investigations and enforcement proceedings on their own initiative and impose monetary sanctions or other penalties.
Still, the DOJ – charged with prosecuting corporate crimes such as money laundering, bribery and tax fraud – is uniquely formidable among the agencies because of its power to indict and prosecute criminally, the threat of which has remained an important method of ensuring corporate compliance during the past two decades. For large-scale corporate investigations and prosecutions, the DOJ frequently coordinates with other federal agencies, as well as state and local authorities. This coordination extends to inter-agency task forces, such as KleptoCapture.
A corporation facing a criminal investigation by the DOJ or other agencies typically feels great pressure to avoid an indictment, which carries the risk of severe reputational, legal, regulatory and other 'collateral' consequences (even apart from the potential criminal penalties such as fines, forfeiture, disgorgement of unlawful profits, and restitution). For many companies, particularly highly regulated ones, a mere indictment – before conviction or even after acquittal – can have severe reputational effects, and disastrous consequences for a company's stock price and its ability to seek funding in the capital markets. Moreover, corporations in certain industries, such as companies that serve as government contractors for the Department of Defense or participate in the federal government's Medicaid and Medicare programmes, can face crippling suspension upon the filing of charges and mandatory exclusion from the programmes if ultimately convicted. The collateral consequences of a corporate criminal investigation and prosecution may not be reversible even if the company is vindicated on appeal. It is therefore not surprising that most companies facing regulatory investigations cooperate as fully as possible in the hope of avoiding formal charges and frequently self-report potential wrongdoing in which the company or its employees may be implicated.
Most federal enforcement agencies5 have published official policies emphasising the importance of voluntary disclosure and full cooperation in an investigation, and pledging to take into account any disclosure or cooperation (or lack thereof) in determining whether to bring an enforcement action and what kind of penalties to seek. The USSC Organizational Guidelines also explicitly provide for reduced sentences for companies that provide 'timely and thorough' cooperation, where 'timely' is defined as 'begin[ning] essentially at the same time as the organization is officially notified of a criminal investigation' and 'thorough' is defined as 'the disclosure of all pertinent information known by the organization.'6
In some cases, the benefits of self-reporting and cooperation are unambiguous. The Department of Defense, for instance, will not pursue suspension or debarment sanctions against companies that self-report and cooperate. The DOJ also has various voluntary self-disclosure leniency programmes. In December 2019, the DOJ revised a 2016 voluntary self-disclosure policy to provide stronger incentives to voluntarily self-report 'potentially wilful' trade violations by granting a presumption of a non-prosecution agreement (NPA) and of 'significant reductions' in penalties by the DOJ.7 The DOJ Antitrust Division's leniency programme, a centrepiece of the DOJ's efforts against price-fixing and other cartels, offers full amnesty to the first company involved in an antitrust cartel that comes forward to voluntarily disclose its participation, makes restitution to victims of the cartel, and cooperates in the investigation and prosecution of other culpable companies. The cooperating company's directors, officers and employees will also receive amnesty if they are willing to cooperate in the investigation. In April 2022, the DOJ's Antitrust Division added new obligations to the leniency programme, requiring that companies 'promptly self-report after discovering its wrongful conduct.'8 'Promptly' is not defined, but is 'based on the facts and circumstances of the illegal activity and the size and complexity of operations' of the company, with the company bearing the 'burden to prove that its self-reporting was prompt.'9 A cooperating company must also 'undertake remedial measures to redress the harm it caused and improve its compliance program.'10
In most other settings, however, voluntary disclosure and cooperation are just two of many factors that regulators and prosecutors promise to 'take into account' in their charging calculus, without specific guidance as to how much weight each will be accorded in relation to other factors affecting the charging decision. For example, both the DOJ and the SEC have explicitly included voluntary disclosure and cooperation in their respective official enforcement policies, and in the DOJ and SEC's FCPA resource guide, as factors to be weighed. High-ranking representatives from these enforcement agencies commonly make public pronouncements regarding the importance of voluntary disclosure and are quick to cite examples of companies that were purportedly spared severe sanctions after disclosing and cooperating fully. In spite of these assurances, it is difficult to isolate any quantifiable benefit that can be attributed to voluntary reporting alone as opposed to other factors because of the lack of visibility in the regulators' decision-making process and the multitude of factors that affect both the decision to charge and the severity of the ultimate penalty imposed. Given the regulators' clear interest in having companies come forward on their own initiative to disclose wrongdoing, thereby avoiding the burden of independently detecting illicit activity, companies may have good reason for some degree of scepticism of the professed benefits of self-disclosure.
In apparent response to criticism regarding the uncertain benefits of self-reporting and cooperation in the FCPA context, the DOJ implemented a one-year pilot programme in April 2016 with the aim of providing additional guidance for prosecutors investigating FCPA violations and motivating companies to disclose potential FCPA violations. The pilot programme expanded upon prior DOJ guidance by articulating the specific requirements that companies must satisfy to be eligible for reductions in penalties as a result of voluntary disclosure, cooperation with the DOJ, and remediation (i.e., the implementation of effective FCPA compliance controls); and quantified the potential reduction in fines for which a qualifying company may be eligible: up to 50 per cent off the minimum USSC Organizational Guidelines range if the target company fully complies with the criteria set out in the announcement. In November 2017, the DOJ announced a new corporate enforcement policy intended to expand and replace the pilot programme. This included a new presumption that the DOJ will decline to prosecute if a company satisfies the policy's requirements for voluntary self-reporting, cooperation and timely remediation (although the company will still be required to disgorge any ill-gotten gains). In 2018, the DOJ announced that it was informally expanding this policy outside the FCPA context.
The DOJ has since made numerous revisions and clarifications that appear to greater incentivise companies to self-report. For example, in March 2019, the DOJ clarified that a company could still obtain the benefits of the self-reporting and cooperation policy even if 'aggravating factors' such as the involvement of senior management in the underlying misconduct were present, as long as the company's actions were 'otherwise exemplary.' In November 2019, the DOJ provided that companies are required only to disclose facts known 'at the time of disclosure' (as opposed to the prior 'all relevant facts' standard), and eliminated the requirement of companies to disclose certain evidence that a company 'should be aware of.' In October 2021, the DOJ announced that eligibility for cooperation credit will require companies to provide 'all non-privilege information about individual wrongdoing,' not just information related to individuals 'substantially involved' in misconduct.11
Even with additional guidance from the DOJ, it is not completely clear that voluntary reporting should be the default action of every company that discovers potentially unlawful conduct within its organisation. A company must, of course, first determine whether it has a mandatory legal obligation to disclose potential wrongdoing that it discovers. For example, financial institutions may be obliged to report suspicious activity. Sarbanes–Oxley also imposes numerous compulsory reporting requirements on companies should they discover certain types of fraud and other misconduct. Because many of the regulators have information-sharing agreements or otherwise coordinate their actions, if a company decides to self-report, it may be prudent to make the disclosures to all agencies with jurisdiction in order to receive the maximum potential self-reporting credit. Even without a mandatory legal obligation, a company should at the very least assess the probability of independent discovery of the potential misconduct by government authorities. The likelihood that a government agency will independently become aware of an impropriety has increased significantly in recent years as a result of the general upturn in regulatory enforcement activity, the expansion of international cooperation, the proliferation of new laws and regulations favourable to whistle-blowers, and the development and adoption of sophisticated technology to detect potential misconduct.
In determining whether to self-report and to what extent to cooperate with a regulatory investigation, corporations and their employees must also bear in mind that, should they be deemed to be impeding or obstructing the investigation, they may not only face charges relating to the conduct under investigation, but also charges of obstruction of justice or conspiracy to commit obstruction of justice. These obstruction charges are typically much easier to prove than charges stemming from the underlying conduct being investigated and can carry penalties that are equally, or more, severe. Under Sarbanes–Oxley, for example, an individual can face up to 20 years in prison for altering or falsifying documents with the intention of obstructing a federal investigation and a company can face substantial fines for this conduct. In recent years, the DOJ has not hesitated to seek such penalties against companies and employees that are perceived to be uncooperative or evasive, and the SEC and other agencies have been known to refer reports of obstructive conduct during civil enforcement actions to the DOJ for criminal prosecution. For instance, in February 2018, a US subsidiary of the Netherlands-based Coöperatieve Rabobank UA agreed to forfeit US$369 million and pleaded guilty to obstructing an investigation into deficiencies in the bank's anti-money laundering compliance programme conducted by Rabobank's primary regulator, the Office of the Comptroller of the Currency of the US Treasury Department.12ii Internal investigations
In conjunction with disclosing potentially improper conduct to the government, a corporation will typically undertake an internal investigation, either on its own initiative or with the encouragement of the relevant government agency, to determine whether unlawful activity has in fact occurred and, if so, which employees are responsible. There are several important reasons for conducting such an investigation. First, a full understanding of the facts can be crucial to mounting a defence in any adversarial proceedings that might arise with government authorities or in any private civil suits that might be filed. Second, by conducting an internal investigation and disclosing important information gleaned from a review of documents and employee witness interviews to federal agencies, a corporation may be more likely to receive credit for cooperation and thereby decrease its risk of indictment and the imposition of severe penalties. Finally, simply as a matter of good corporate governance, it is important for the corporation to be confident that it has accurately determined which employees were responsible for the unlawful activity and to ensure that it has implemented adequate controls to prevent any recurrence of the wrongdoing.
Even if a company has not yet made the decision to report potentially unlawful conduct to a regulator, it still might have cause to conduct an internal investigation after, for example, (1) receiving a tip about fraudulent activity on a dedicated company hotline, (2) receiving information from an internal or external auditor about a potential compliance issue, or (3) being named in a civil suit by a former employee containing allegations of improper conduct on the part of the company. Further, because Sarbanes–Oxley requires companies to implement systems for the reporting of complaints by employees relating to accounting or auditing matters, and to conduct investigations in response to a wide range of concerns, companies are more likely than ever before to encounter situations in which the prudent course of action is to initiate an internal investigation.
It is generally advisable to have counsel supervise such investigations because of the likelihood that legal questions and issues will arise, although whether it is necessary to retain an outside law firm will depend on the company's assessment of various considerations. While external counsel may have more experience conducting internal investigations and dealing with government agencies, in-house counsel may have the advantage of a more intimate understanding of the company's operations and culture. This familiarity with the company, however, can also be a weakness if it is perceived by the government to undermine objectivity, in which case the company may have more credibility in interacting with the government if it retains reputable external counsel. This is especially likely to be the case if the conduct under investigation implicates any members of the company's legal department.
Whether conducted by in-house or outside counsel, a significant amount of attorney–client privileged information and attorney work-product material will be generated during the course of an internal investigation. Prior to 2006, the DOJ expected that a corporation would waive attorney–client privilege and provide all requested materials and information if the company wished to be given credit for cooperation. There was significant criticism of this policy from the corporate sector, the defence Bar, and various members of Congress. In response, the DOJ revised its policy in 2008 and categorically directs prosecutors not to seek a waiver of privilege and prohibits prosecutors from taking waiver into account when making a cooperation determination. The current policy does, however, allow prosecutors to consider the extent to which the company has disclosed all relevant facts. Other agencies, such as the SEC, have published similar policies. Therefore, despite the government's assurances that waiver is not necessary to obtain credit for cooperation, a company may find that it is not possible to make a full disclosure of the relevant facts without turning over privileged materials. Moreover, some courts have held that oral summaries of witness interviews offered by companies to regulators as part of their cooperation constituted a waiver of the attorney–client privilege and attorney work-product protections over interview notes and memoranda prepared by company counsel.
With respect to conducting these investigations, there are typically two primary components: (1) review and analysis of relevant documents and (2) interviews with company employees who have knowledge of the relevant facts. Generally, documents are gathered and reviewed before conducting interviews. This allows the interviewer to uncover and focus on key issues or questions discovered during the course of the document review, or to seek clarification on potentially inculpatory or troubling statements contained in those documents. At the outset of each interview, the standard practice is to notify the employee that the attorney conducting the interview is counsel to the company and not the interviewee's personal attorney and that, while the conversation is protected by attorney–client privilege, that privilege belongs to the company, which the company may waive at its sole discretion. The employee should also be informed that any information imparted during the interview may be shared with government authorities.
Unless it uncovers nothing to merit any disclosure during the course of the internal investigation, a company will typically present its findings to the government after completing the document review and interviewing process, or – for a particularly complex investigation – at the conclusion of some segment of that process. Those presentations can be made orally or in written form, in response to which the government may identify additional areas of concern that require follow-up work. The government and counsel may then engage in dialogue regarding whether criminal or civil charges are warranted – and what kind – and how much credit to give to the company for its cooperation. In making its case for leniency, it may be effective for a company to argue not only that the facts uncovered do not amount to actionable misconduct, but also, from a policy perspective, that the relevant agency's objectives would not be advanced by pursuing an enforcement action against the company. A company should also consider reviewing the agency's published charging guidelines (such as the DOJ's guidelines for the prosecution of business organisations)13 to support an argument that an enforcement action is not warranted or that the situation calls for reduced charges; for example, by emphasising that (1) senior management was not implicated in the wrongdoing and, therefore, the misconduct was not pervasive, (2) the company has no history of related misconduct, (3) the company had a robust and effective compliance programme in place at the time of the offence, or (4) the collateral consequences of enforcement would be unjustifiably severe.iii Whistle-blowers
The probability of a US company facing a whistle-blower complaint increased significantly with the implementation of the whistle-blower provisions of Dodd–Frank, which came into effect in 2011. The Dodd–Frank whistle-blower rules expand the already far-reaching protections for whistle-blowers created by Sarbanes–Oxley and the False Claims Act, including extending Sarbanes–Oxley whistle-blower coverage to employees of non-public subsidiaries of publicly traded companies.
Under Dodd–Frank, the SEC must award whistle-blowers who alert the SEC to certain types of wrongdoing that result in successful enforcement actions rewards of between 10 and 30 per cent of the total monetary sanctions collected by the SEC over US$1 million. On 23 September 2020, the SEC adopted an amendment that introduced, for any award of US$5 million or less, a presumption that the SEC will grant the whistle-blower the statutory maximum award. In February 2022, the SEC proposed two rule changes that would potentially increase monetary awards to whistle-blowers. The first would allow the SEC to make an award to a whistle-blower in a 'related action' otherwise covered by another alternative whistle-blower programme. This would allow a whistle-blower to collect an award from the SEC's whistle-blower programme even if the underlying action is more directly covered by an alternative whistle-blower programme. The second proposed amendment would allow the SEC to consider the dollar amount of a potential award for the limited purpose of increasing the award amount. In fiscal year 2021, the SEC awarded US$564 million to 108 whistle-blowers, including the highest award in the whistle-blower programme's history – an award of US$114 million to a single whistle-blower and a separate US$110 million award to another. These awards in fiscal year 2021 bring the total payout over the life of the whistle-blower programme to more than US$1 billion.
The CFTC similarly has a whistle-blower programme established under Dodd–Frank. The CFTC issued its first award in 2014. In 2017, the CFTC amended its whistle-blower programme rules to strengthen protection for corporate whistle-blowers. In March 2022, the CFTC announced an approximately US$10 million award to a single whistle-blower – one of a number of multimillion-dollar whistle-blower awards, including an October 2021 award of nearly US$200 million – bringing the total awards granted under the CFTC's whistle-blower programme to about US$330 million. The CFTC attributed these whistle-blower actions as resulting in monetary sanctions of more than US$3 billion.
The SEC continues to take aggressive action against companies perceived to be taking adverse action against whistle-blowers or attempting to frustrate or interfere with their protection and rights. For example, in 2017, the SEC fined the financial services company HomeStreet, Inc US$500,000 for attempting to uncover the identity of a whistle-blower after being contacted by the SEC in connection with an investigation and for including provisions in severance agreements with former employees causing those employees to waive severance payments if they receive a whistle-blower award. In February 2021, the SEC charged investment adviser GPB Capital and certain affiliated individuals, including the firm's owner and CEO, with, among other things, violating the whistle-blower protection provision of Dodd–Frank by imposing language in termination and separation employment agreements that might impede the flow of information from the firm's employees to the SEC. In June 2021, the SEC announced a US$208,912 settlement with a New York-based registered broker-dealer, Guggenheim Securities, LLC, for violating a whistle-blower protection rule by including in its compliance manual and announcing in its annual compliance trainings a prohibition to its employees from initiating contact with any regulator, including the SEC, without prior approval from the firm's legal or compliance department.
Given this complex regulatory regime, a company must proceed with even greater caution when confronted with allegations of misconduct by a whistle-blower. Any credible tips describing potential illegal acts should be investigated promptly and thoroughly, with the assistance of outside counsel if necessary. If the company determines that the allegations have merit, it should take swift remedial action and consider self-reporting its findings to interested regulators. By no means should a company take any action that might be perceived as retaliation against the whistle-blower, as this behaviour could potentially expose the company to substantial civil or criminal liability.
Enforcementi Corporate liability
Because of the way in which the doctrines of corporate criminal and civil liability have evolved in the United States, prosecutors and regulatory agencies have considerable leverage over business organisations. Generally speaking, companies are liable for the actions of employees if the employees' conduct is 'within the scope of their employment' and they act at least in part with 'the motive of benefiting the company'. These two qualifiers have been interpreted to place little meaningful limit on a company's potential exposure. For example, corporations have been held liable where the wrongdoing at issue benefited only the employee and was perpetrated in violation of the company's explicit instructions. Moreover, it is irrelevant where the culpable employee falls on the corporate ladder; legally speaking, the conduct of a post room clerk is imputed to the company to the same extent as the company's CEO. Further, under the collective liability or collective scienter doctrine, a company may be liable – particularly in the civil context – if its employees, when considered in the aggregate, possessed sufficient knowledge and intent to violate the law, even if no single employee had the requisite mental state or corrupt intent. Some courts have limited the application of this doctrine in recent years. Notably, in February 2020, a US court overturned a jury conviction of a former Alstom SA executive on foreign bribery charges after finding that prosecutors had failed to prove that the executive was an 'agent' of the company's US subsidiary. Nevertheless, the doctrine can still be an attractive option for a regulator bringing, for example, a complex securities fraud case against a huge, decentralised company.ii Penalties
Regulators have a vast arsenal of potential sanctions to impose on corporations convicted of a statutory violation. Among other potential sanctions, various regulatory statutes authorise criminal or civil fines (or both), restitution, disgorgement, criminal forfeiture, probation, and community service.14 Further, as addressed above, the collateral consequences of a conviction can be just as damaging, potentially resulting in suspension or debarment from eligibility for government contracts, reputational harm, and a drop in the company stock price. Moreover, corporate investigations often involve multiple regulators with overlapping jurisdiction, raising the possibility that the corporation will face substantial penalties imposed by numerous authorities for the same underlying misconduct. Responding to concerns about 'unfair duplicative penalties', informally referred to as 'piling on', in May 2018, the DOJ announced a new policy encouraging coordination by the DOJ with other US and international law enforcement agencies conducting investigations of the same conduct to avoid 'disproportionate enforcement of laws by multiple authorities'.
Since the 2007–2008 financial crisis, most corporate criminal investigations have ended with the two sides entering into a DPA or NPA, although there has been a marked increase in corporate guilty pleas – often by a company's subsidiary and alongside a DPA or NPA – to resolve DOJ actions in more recent years. In an October 2021 speech, Deputy Attorney General Lisa Monaco announced that the DOJ would be reconsidering the availability of DPAs and NPAs to 'recidivist' companies. Moreover, the DOJ has increased scrutiny of potential breaches of the terms of DPAs or NPAs. In October 2021, Telefonaktiebolaget LM Ericsson, a multinational telecommunications company headquartered in Sweden, announced that it was in breach of a 2019 DPA that resolved charges under the FCPA by failing to disclose misconduct and compliance failures in Iraq. Similarly, in March 2022, Deutsche Bank announced that it was deemed in breach of a 2021 DPA that resolved charges under the FCPA by failing to report a whistle-blower complaint alleging that it overstated environmental, social, and governance (ESG) initiatives.
Previously, DPAs and NPAs were the exclusive domain of the DOJ, but the SEC has also recently adopted their use. The typical DPA provides that the agency will file formal charges, which will be stayed for a set period (usually between one and three years), after which the charges will be dismissed if the company has complied with certain obligations. These obligations typically require the company to: cooperate fully with the agency's investigation and in any other investigation that may be ongoing; accept responsibility for the wrongdoing at issue; and undertake remedial action, including terminating or disciplining culpable employees, implementing revised internal controls and procedures and, in some cases, appointing an independent compliance monitor. The company also normally agrees to a monetary penalty, including a criminal or civil fine, forfeiture, restitution or disgorgement of unlawful profits. NPAs require similar types of performance on the part of the company but do not involve the formal filing of charges with a court. In both types of agreement, because the company has admitted to the conduct at issue (which is typically set out in an agreed 'statement of facts' attached to the agreement), if a company is indicted upon breach of the agreement, conviction is almost certain.iii Compliance programmes
Not only do DPAs typically require the implementation of an effective compliance programme or the improvement of an existing one, the existence of an effective compliance programme is also a factor that the DOJ and other regulators take into account in making their charging decisions and may lead to a reduced sentence, in some cases up to 95 per cent, under the USSC Organizational Guidelines. Recently, the DOJ has moved to increase transparency in corporate criminal enforcements.
In June 2020, the DOJ updated its Evaluation of Corporate Compliance Programs guidance, which 'is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation's compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).'15 Although the evaluation of a corporate compliance programme is 'individualized', the DOJ identified three 'fundamental questions':
- Is the corporation's compliance programme well designed?
- Is the programme being applied earnestly and in good faith? In other words, is the programme adequately resourced and empowered to function effectively?
- Does the corporation's compliance programme work in practice?
In recent years, there has been a trend towards self-monitoring and reporting rather than the imposition of an independent monitor as a standard feature of a settlement agreement. In October 2018, the DOJ announced guidance setting out factors that the DOJ will evaluate in determining whether to impose a compliance monitor as part of a settlement with a corporation. These factors focus on the nature of the misconduct, the extent and effectiveness of the corporation's remediation, and the potential monetary costs and burdens on the corporation's operations. In October 2021, Deputy Attorney General Lisa Monaco made clear that the imposition of a monitor is neither disfavoured nor exceptional: 'In recent years, some have suggested that monitors would be the exception and not the rule. To the extent that prior Justice Department guidance suggested that monitorships are disfavored or are the exception, I am rescinding that guidance.'16iv Prosecution of individuals
The question often arises during the course of a regulatory investigation of whether it is appropriate for a corporation to enter into a joint defence agreement with employees who are also under investigation. The DOJ's official position is that the government may not consider an arrangement of this kind in determining whether a corporation has cooperated with an investigation. However, as with the issue of waiver of privilege, the DOJ has qualified this position by noting that to the extent that such an agreement limits the company's ability to disclose relevant facts, it may adversely affect the ability of the company to obtain credit for cooperation. Moreover, because various agency policies and the USSC Organizational Guidelines encourage corporations to cooperate fully in the prosecution of employees accused of wrongdoing, in many situations the risk of a conflict of interest between the company and its employees may preclude the possibility of entering into a joint defence agreement.
Conflicts of interest are more likely than ever to arise as, in the years following the 2007–2008 financial crisis, the government became increasingly aggressive in pursuing individuals suspected of corporate malfeasance, and the DOJ has publicly announced that it favours prosecution of individuals over entities where feasible. In October 2015, the DOJ issued the 'Yates Memo', which calls for more focus by prosecutors on individual defendants, states that credit for cooperation by companies will henceforth be contingent on disclosing all relevant facts regarding individuals in the misconduct, and prohibits the resolution of any corporate action without a 'clear plan to resolve related individual actions'. In 2018, the DOJ, under the Trump administration, relaxed the requirements of the Yates Memo to some extent, clarifying that a company may be eligible for at least partial cooperation credit if it makes good-faith efforts to identify individuals 'substantially involved' in misconduct, even if the corporation is unable to identify all relevant facts about individual misconduct. In 2021, the DOJ again announced that individual accountability is a priority and that it was 'restoring prior guidance making clear that to be eligible for any cooperation credit, companies must provide the department with all non-privileged information about individuals involved in or responsible for the misconduct at issue.'17
Internationali Extraterritorial jurisdiction
US federal agencies take an expansive view of their statutory jurisdiction and aggressively pursue foreign companies for violations of domestic law. Over the past decade, there has been an increase in the enforcement of US laws against corporate conduct that takes place largely outside the United States. This trend for cross-border investigations is evident in a variety of contexts.
In the FCPA context, a significant number of enforcement actions – including many of the higher-value settlements – targeted foreign companies and individuals. While the FCPA applied only to issuers of stock on a US exchange when originally enacted, the statute now proscribes corrupt payments by any person, natural or otherwise, where relevant acts occur 'in the territory of the United States'. Regulators have at times pushed the boundaries of this language, asserting jurisdiction, for example, based on the fact that a transaction at issue was cleared through a US bank, even though no employee of the target entity took any action while physically present in the United States. Moreover, even where that minimum territorial connection is not met, the government has not hesitated to stretch traditional legal doctrines to assert jurisdiction; for example, by charging a foreign subsidiary with 'aiding and abetting' a violation by its US parent or for making an improper payment as the agent of a US company.
In 2018, a US appeals court rejected the DOJ's attempt to employ theories of conspiracy or complicity to prosecute a foreign national, Lawrence Hoskins, who neither lived nor engaged in any alleged conduct in the United States, for violating the FCPA.18 In November 2019, in a closely watched trial, a jury convicted Hoskins of violating the 'substantive' FCPA. The judge overturned the FCPA convictions in February 2020, finding that Hoskins was not an agent of a US entity and thus lacked sufficient territorial connection to be prosecuted under the FCPA.19 While a small number of court decisions, such as Hoskins, have pushed back on the regulators' most aggressive attempts to extend jurisdiction, the significant expense and risk associated with litigating an FCPA action has resulted in few FCPA cases reaching the courtroom and therefore few legal or practical constraints on the extraterritorial reach of the FCPA. The ruling in Hoskins, however, was incorporated into the June 2020 DOJ-SEC release of the Second Edition of the FCPA Resource guide. The impact of this change remains to be seen.
Other countries have also looked beyond their shores to target illegal conduct by corporations, including various legislative reforms over the past two decades by numerous sovereign countries – such as Argentina, Brazil, France, Mexico, South Korea, and Vietnam – to expand their anti-corruption and anti-bribery laws. In addition to the FCPA, a well-known example of an anti-corruption law is the UK enactment of enhanced anti-bribery laws that came into effect in 2011. The UK Bribery Act has an expansive jurisdictional scope that may exceed even that of the FCPA, theoretically allowing the UK government to assert jurisdiction over any company that does business in the United Kingdom, even if the conduct at issue occurred elsewhere. A number of other countries – such as Canada, France, Germany, Italy, and the Netherlands – have since enacted anti-foreign corruption laws with extraterritorial application.ii International cooperation
Because a successful international prosecution depends on effective cross-border cooperation and access to witnesses and evidence located abroad, the government frequently enlists the assistance of foreign governments and agencies in investigations. The DOJ, for instance, has many formal and informal relationships with foreign agencies to facilitate cross-border enforcement. Other agencies have not shied away from international investigation either; the SEC, for example, maintains an Office of International Affairs, through which it coordinates with foreign governments and provides training to foreign agencies in financial fraud enforcement. In 2017, the DOJ announced that it was continuing its anti-corruption cooperation efforts with the United Kingdom's Financial Conduct Authority and Serious Fraud Office by assigning a US prosecutor to those offices for a two-year term, after which the prosecutor would return to the United States to provide training and propose new policies based on their experience.
The 10 largest FCPA settlements with the United States were the result of cooperative efforts between US and foreign authorities.20 In 2020, despite the covid-19 pandemic, the DOJ Fraud Section continued its work with international counterparts, reporting a nearly threefold increase in global monetary recoveries from US$3.2 billion in 2019 to US$8.9 billion in 2020. The year 2020 also saw two of the largest FCPA monetary sanctions. In January 2020, Airbus SE, a France-based aerospace company, agreed to pay approximately US$4 billion in combined penalties – a record-high penalty – to the United States, France, and United Kingdom for violations of the FCPA. The October 2020 Goldman Sachs DPA that related to the international 1MDB scandal involved payments to government authorities in the United States, United Kingdom, Singapore and elsewhere. However, 2021 through to at least the first quarter of 2022 saw a substantial slowdown in FCPA-related enforcement actions. The year 2021 saw 14 FCPA-related enforcement actions brought by the DOJ and four such actions brought by the SEC; this represents nearly 50 per cent fewer FCPA actions initiated compared to 2020 and a more than 70 per cent drop compared to 2019. The DOJ and SEC have both stated that significant actions remain in the pipeline.iii Local law considerations
Not all countries, however, have been as amenable to the expanding extraterritoriality of US law enforcement and enhanced cooperation among foreign authorities. Certain countries – including Mexico, Canada, some members of the European Union, and, in January 2021, China – have enacted 'blocking statutes' that prohibit, or place limits on, the production of information for use in legal proceedings in a foreign country. This puts companies operating in the international arena in a difficult position, as compliance with one law may necessarily mean running afoul of another. For example, in March 2019, a US court imposed a US$50,000 per day sanction on Chinese banks for failing to comply with DOJ subpoenas, despite claims by the banks that compliance with the subpoenas would violate Chinese law.21
A multinational company under investigation by multiple regulators in other countries also faces innumerable complexities in dealing with varying and potentially inconsistent laws relating to the discovery of evidence and examination of witnesses. For example, data privacy laws in one country may prohibit the company from complying with a subpoena from a regulator in another, and the rights to counsel and against self-incrimination may be limited or absent under other regimes. This issue came to a head in 2017 in the form of a showdown between Microsoft Corp and the DOJ. The latter sought customer emails stored on a Microsoft server in Dublin pursuant to a warrant, and the former sought to quash the warrant on the basis, among others, that Microsoft would run afoul of foreign data privacy rules by complying. The case reached the US Supreme Court before it was dismissed in light of new legislation passed by Congress affecting the extraterritorial reach of US law enforcement requests, but the issue is likely to arise again in the near future.
Year in review
Conclusions and outlook
For the past two decades, corporate and civil liability in the United States has moved inexorably towards more regulation and enforcement, harsher penalties and expanding jurisdiction. This trend is likely to continue. Although the pipeline of corporate cases dating to before the covid-19 pandemic may have partially slowed more than two years into the pandemic, activity is likely to pick up with the easing of pandemic restrictions. The Biden administration has announced its focus on corporate crimes, but likely will require more time to implement its policies as the administration balances its priorities between recovery from the pandemic, the Russia–Ukraine war, and the resulting economic consequences.
Traditional areas of enforcement, such as anti-corruption, financial fraud and healthcare fraud, are likely to remain the mainstays of regulatory action. Anti-corruption enforcement, in particular, may see increased scrutiny. In June 2021, the Biden administration published a National Security Memorandum identifying the fight against corruption as a core national security interest.22 The administration's focus on sanctions targeting Russian 'oligarchs' as a result of the 2022 Russia-Ukraine war has only sharpened this concern. The United States can also expect increased focus and resources on combating other national security threats from foreign countries, most notably China and Russia, through foreign corporate actors. A particularly important tool in this area is economic sanctions, as illustrated in the unprecedented, international and sweeping imposition of such sanctions against Russia and Russian oligarchs in response to the Russia-Ukraine war. In March 2022, the DOJ formed 'Task Force KleptoCapture' to enforce these sanctions and other economic countermeasures against corrupt Russian oligarchs.
Other areas can be expected to emerge over the next few years with increased focus. Most prominent among these is cybersecurity – encompassing issues relating to data security, privacy, hacking, cryptocurrencies and related technologies, and trade secrets – all of which present significant regulatory challenges. For example, the DOJ's Cyber-Digital Task Force, established in 2018, has called for increased inter-agency and international cooperation in enforcing virtual currency regulations. In 2021, the DOJ announced a civil cyber-fraud initiative. The SEC also formed a 'cyber unit' that has pursued a number of enforcement actions targeting the unregistered offering of cryptocurrencies, misconduct relating to abuse of financial markets through hacking, and the failure of public companies to make timely disclosures of data breaches. Similarly, in April 2021, the DOJ formed a task force to combat a proliferation of ransomware cyberattacks.
What remains as clear as ever is the necessity of maintaining a robust compliance structure to promptly detect potential wrongdoing. While total prevention is unlikely, given the innumerable ways in which a company can run afoul of the law and the sheer complexity of the various regulatory regimes, prompt detection, thorough investigation and meaningful remedial action will limit the company's exposure and maximise its chance of avoiding criminal or civil charges, or – failing that – negotiating a favourable settlement with government authorities.