Late last year, the Department of Justice (DOJ) announced material changes to the way it intended to investigate, prosecute, and resolve corporate cases. The changes were aggressive, leading us to title our update “DOJ’s Torpedoes Are in the Water: Be Your Own Monitor, or One Will Be Appointed for You.” The 2021 policy changes drew fire for being ambiguous and bluntly coercive with respect to cooperation credit, imposing policies without regard to what it’s like on the ground in a corporate compliance department.
Implicitly recognizing the problems created by the 2021 changes, last Thursday DOJ issued “further revisions” to its Corporate Criminal Enforcement Policies. These revisions include a more measured approach and clearer guidance on what is expected to obtain a favorable corporate resolution in an effort to promote self-reporting and cooperation from companies who discover misconduct.
Key policy changes include:
- focusing on investigation of individual misconduct
- clarifying how the Department will weigh prior misconduct
- allowing companies to avoid pleading guilty by timely and voluntarily reporting misconduct and cooperating on remedial actions
- implementing transparency measures around the appointment of monitors
- considering companies’ compensation packages when evaluating compliance programs
The latest revisions are the result of input from a Corporate Crime Advisory Group comprised of Department leaders working on criminal, civil, antitrust, environmental, tax, and national security that has received input from outside attorneys, the business community, and academia. Deputy Attorney General Lisa Monaco said the new policies are meant to give “general counsels and chief compliance officers the tools they need to make a business case for responsible corporate behavior” rather than simply accepting expensive plea deals as a cost of doing business. For example, in May 2022, Glencore pleaded guilty to manipulating oil-price benchmarks and agreed to pay about $1.5 billion to settle US, UK and Brazilian probes that had hung over the company for years. In the same month, a unit of Allianz SE pleaded guilty to fraud and agreed to pay $5.8 billion for misrepresenting the risk posed by a group of hedge funds that collapsed amid pandemic market fluctuations.
DAG Monaco emphasized that the Department’s priority is the prosecution of individuals. And, notwithstanding several recent high-profile individual convictions in the Theranos, J.P. Morgan, and 1MDB matters, DOJ believes it needs “to do more and move faster,” and to that end will “take steps to empower our prosecutors, to clear impediments in their way, and to expedite our investigations of individuals.” The Department will require cooperating companies to come forward with more information and faster; any perceived “gamesmanship” in turning over information will result in denial of cooperation credit. Prosecutors will also work to concurrently complete corporate resolutions and criminal prosecutions, not allowing the former to bog down the latter. In other words, the Department wants to put both parties “on the clock” to expedite investigations of individuals.
History of Misconduct
In its 2021 guidance, DOJ committed to considering “the full criminal, civil, and regulatory record of any company when deciding the appropriate resolution,” reflecting that 10-20% of corporate resolutions involve repeat offenders. DAG Monaco announced on Thursday that, in response to feedback that such history needs to be contextualized, DOJ will recognize that “not all instances of prior misconduct are created equal.” The most significant misconduct will be criminal resolutions in the United States and prior wrongdoing by the same personnel or management as that under review. Additionally, time matters: criminal resolutions that occurred more than ten years in the past and civil or regulatory resolutions that took place more than five years in the past will be accorded less weight. Further, the nature of the misconduct will be relevant, with that involving a similar “root cause” as the current violation garnering more weight.
Monaco clarified that a company will not inherit the prior misconduct of an entity it acquires so long as the company addresses those issues promptly.
Finally, the Department will disfavor multiple, successive non-prosecution agreements or deferred prosecution agreements, requiring any additional agreements to be approved by the Office of the Deputy Attorney General.
Voluntary Self Disclosure
Monaco also affirmed DOJ’s commitment to incentivizing and rewarding voluntary self-disclosure and announced that each Department component that prosecutes corporate crime must have a formal, documented policy program that incentivizes voluntary self-disclosure. The memo provides “common principles” to which all policies must conform, and each must include expectations on timing, types of information that must be handed over, and benefits businesses will receive for meeting those standards. Absent aggravating circumstances, the Department will not seek a guilty plea or require a monitor when a company has voluntarily self-disclosed, cooperated, and remediated. However, this guidance does leave room for discretion and variation, especially for companies that operate in multiple markets and jurisdictions.
Additionally, in providing only that self-disclosure will allow a company to avoid a guilty plea, the memo does not address whether deferred or non-prosecution agreements could still be on the table; presumably these will remain the Department’s default preferred resolutions. And it does not address the preexisting Foreign Corrupt Practices Act enforcement policy that protects self-disclosing companies from prosecution or criminal resolution (a declination), will apply in all DOJ components’ policies.
Independent Compliance Monitors
The Department is also increasing transparency around appointment of monitors by providing ten, non-exhaustive factors to guide prosecutors in evaluating the need for, selection of, and oversight of a monitor, implementing a documented selection process for monitors, and ensuring that the scope of every monitorship is tailored to the misconduct at issue.
On the theory that money speaks louder than words, the Department will now consider compensation schemes when evaluating the strength of a company’s compliance program. For example, on the deterrence side, companies should employ clawback provisions, escrow compensation, or explore other ways to hold financially accountable those who contribute to misconduct. On the incentive side, companies should build compensation systems that use affirmative metrics and benchmarks to reward compliance-promoting behavior. Further guidance is expected on these issues by the end of the year.
The supplemental guidance provides a more balanced approach than the 2021 version, providing additional incentives to companies to self-report misconduct and cooperate in investigations.
The most important takeaway from the guidance is that companies need to work harder to ensure that their compliance programs are well-designed and functioning to deter and detect wrongdoing. Here are some key questions to help begin the conversation between board members and senior management with those charged with overseeing the day-to-day compliance function:
- Does the company have specific compliance policies and internal controls tied to high-risk areas which have been updated based on a recent risk assessment?
- Companies, and the industries and environment in which they operate, are not static and, therefore, neither is their risk. The foundation of an effective, risk-based compliance program is based on the company’s risk profile, which should be regularly updated. Compliance programs are not one-size-fits-all and it important for companies to identify high-risk areas, design policies and controls based on those risks, and monitor changes to the company’s risk profile and update the compliance program accordingly.
- Does the compliance function have sufficient management support and resources?
- A culture of compliance cannot exist without adequate support – both from by-in from all levels of management and through adequate resources to support compliance and audit functions. Management, especially at the local levels, is critical to a well-functioning compliance program. And, if management at all levels does not take compliance seriously or support it with needed resources, neither will many employees and other stakeholders.
- Is the company auditing and/or conducting independent evaluation of the compliance program and are those findings, as well as “lessons learned” from discovered misconduct, being integrated into program updates?
- Just a regular risk-assessments are critical to designing an effective compliance program, regular review of how policies and controls are working is critical to evaluating how well the compliance program is functioning and evolving.
- How is the company measuring effectiveness of employee-reporting and protection of internal whistleblowers?
- It is axiomatic that for a company to have the ability to self-report misconduct, it must first learn of the misconduct. Having a “speak-up” culture critical to a well-functioning compliance program. While audits, controls, and automated monitoring can detect wrongdoing, significant misconduct may never be detected without internal reporting. Boards and senior management should inquire on what steps are being taken to encourage internal reports, protect those who speak up, and punish those who do not.
- Is there a process to ensure that the company sufficiently remediates wrongdoing?
- When wrongdoing is discovered, is there are process to ensure consistent and appropriate remediation? For instance, is there a disciplinary committee to ensure accountability and consistent discipline? Is the company documenting control and policy gaps and the steps taken to remediate those gaps?
As we wait to see how prosecutors deploy the Department’s guidance, we will be monitoring whether the Department makes good on its promise that companies that step up and own up won’t have to pay up.