The US Department of Justice (“DOJ”) made several recent announcements expanding on its expectations for corporate compliance programs and unveiling new guidance on executive compensation structures, consequence management and business communications and ephemeral messaging.
DOJ also announced a new enforcement push focused on the intersection of corporate crime and national security.
Updated Guidance on the Evaluation of Corporate Compliance Programs
DOJ Deputy Attorney General Lisa Monaco and Assistant Attorney General Kenneth Polite recently announced a number of significant policy changes affecting corporate criminal enforcement by DOJ during presentations at the ABA’s Institute on White Collar Crime in early March. These announcements expand on Monaco’s September 15, 2022 Memo on Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group, which laid the foundation for more detailed guidance on corporate compliance programs.
Among the more notable changes are:
- the rollout of a three-year Pilot Program Regarding Compensation Incentives and Clawbacks (the “Pilot Program”), which will require corporations who enter into criminal resolutions with DOJ’s Criminal Division to include “compensation-related criteria” in their corporate compliance programs and offer fine reductions to companies that seek to clawback compensation from culpable individuals in appropriate cases;
- guidance to prosecutors to assess a company’s “consequence management” procedures to identify, investigate, discipline and remediate violations of law, regulation or policy; and
- guidance on how DOJ will consider a company’s compliance program, policies and procedures relating to employees’ use of personal devices, communications platforms and ephemeral messaging applications.
Companies and regulated entities will need to reevaluate existing compliance programs to ensure their compliance programs are accounting for this new guidance.
Executive Compensation and Clawbacks
In his speech on March 3, Polite announced two key changes to DOJ policies pertaining to the evaluation of corporate compensation systems for all companies. Effective immediately, prosecutors assessing a corporation’s compliance program under DOJ’s updated guidance document, Evaluation of Corporate Compliance Programs (the “ECCP”), are directed to consider the design and implementation of a company’s compensation schemes to determine whether compensation is configured to incentivize compliance. The revised ECCP provides that prosecutors may consider, for example, “whether a company has incentivized compliance by designing compensation systems that defer or escrow certain compensation tied to conduct consistent with company values and policies” and whether a company maintains and enforces “provisions for recoupment or reduction of compensation due to compliance violations or misconduct.”
In addition to the ECCP changes, DOJ is rolling out a three-year Pilot Program, effective March 15, 2023. Pursuant to the Pilot Program, DOJ’s Criminal Division will:
- require companies entering into criminal resolutions to “implement compliance-related criteria in their compensation and bonus system and to report to the Division about such implementation during the term of such resolutions,” and
- “consider possible fine reductions where companies seek to recoup compensation from culpable employees and others who both a) had supervisory authority over the employee(s) or business area engaged in the misconduct and b) knew of, or were willfully blind to, the misconduct.”
Prosecutors are directed to integrate compliance-related criteria tied to compensation and bonuses into all corporate resolutions during the Pilot Program. Such criteria could include a prohibition on bonuses for employees who do not satisfy compliance performance requirements, disciplinary measures for employees who violate applicable law (and potentially their supervisors as well) and incentives for employees who demonstrate full commitment to compliance processes.
Likewise, the Pilot Program provides that an additional fine reduction may be warranted where a company:
- fully cooperates and timely remediates (as defined in the ECCP),
- demonstrates it has implemented a program to recoup compensation from employees who engaged in wrongdoing in connection with the conduct under investigation (or others in supervisory capacities), and
- has, in the DOJ’s estimation, demonstrated good faith in initiating a process to recoup such compensation before the time of resolution.
In these circumstances, DOJ will reduce “the fine in the amount of 100% of any such compensation that is recouped during the period of the resolution.”
Relatedly, the ECCP provides guidance for prosecutors to consider whether a company has effective “consequence management” procedures in place that allow it to identify, investigate, discipline and remediate violations of law or misconduct. Prosecutors may consider whether a company has publicized disciplinary actions internally (as a deterrent effect) and whether it is tracking data related to disciplinary actions, compliance-related allegations and compliance investigations. Prosecutors are also directed to consider whether a company has effective human resources processes in place to ensure consistent application of compliance-related investigation procedures and disciplinary actions.
Guidance on Use of Personal Devices, Communications Platforms and Messaging Applications
DOJ also revised the ECCP to include new guidance on how it will consider corporate practices on the use of personal devices, messaging applications (including ephemeral messaging) and communications platforms in the workplace.
DOJ will evaluate a corporation’s policies governing electronic devices and data against the backdrop of the company’s risk profile and specific business needs, all the while assessing the company’s ability to access and preserve electronic data and communications. In conducting this evaluation, prosecutors are directed to consider three factors:
- Communication Channels.DOJ will consider what electronic communications channels the company and its employees use or can use to conduct business. It will consider whether the company’s policies and practice vary by jurisdiction or business unit, and will look at the mechanisms the company has put in place to manage and preserve information within those electronic communication channels.
- Policy Environment.DOJ will look at the policies the company has in place to allow it to secure, monitor or access business-related communications. If the company has a “bring your own device” (BYOD) program, DOJ will consider whether the company maintains policies for preserving and accessing data and communications on those devices, as well as the policies or procedures in place to ensure that communications and other data is preserved from devices that are replaced.
- Risk Management.DOJ will consider whether the company’s approach to permitting and managing communication channels, including BYOD and messaging applications, is reasonable in the context of its business needs and risk profile, and, in particular, will assess whether the use of personal devices or messaging apps, including ephemeral messaging applications, has impaired the company’s compliance program and its ability to conduct internal investigations or respond to requests from prosecutors, civil enforcement or regulatory agencies.
As Polite made clear, DOJ will expect companies to maintain, communicate and enforce policies that ensure that “business-related electronic data and communications can be preserved and accessed,” regardless of the medium on which they are maintained. Where companies fail to produce communications, prosecutors will ask about where they are stored and the company’s ability to access them. Polite was pointed in noting that “a company’s answers—or lack of answers—may very well affect the offer it receives to resolve criminal liability. So when crisis hits, let this be top of mind.”
Focus on National Security-Related Compliance Enforcement
Finally, Deputy Attorney General Monaco announced in her speech that DOJ would be making significant resource investments in the DOJ’s National Security Division so that the division is better able to focus on the intersection of corporate crime and national security. Citing the importance of sanctions and export control enforcement in US national security, Monaco noted that corporations “are on the front lines of today’s geopolitical and national security challenges” and that “corporate criminal investigations carry profound national security implications.”
Monaco admonished business leaders to take sanctions seriously, noting that DOJ is presently handing “corporate investigations that involve sanctions evasion” across the globe, in industries as varied as transportation, financial technology, banking, defense and agriculture. According to Monaco, “sanctions are the new FCPA.”
To better equip DOJ in these efforts, Monaco announced a surge in resources to address the intersection between corporate crime and national security, including hiring 25 new prosecutors to investigate sanctions evasions, export compliance and other economic crimes.
In addition, NSD will begin issuing joint advisories with the US Department of Commerce and the US Department of the Treasury to inform the private sector about enforcement trends and “convey [DOJ’s] expectations as to national security-related compliance.”
DOJ’s latest guidance provides tangible considerations for all companies to consider for their compliance programs. Details from the ECCP and Pilot Program provide companies and their compliance officers and employees the benefit of particular expectations and benchmarks from DOJ. It remains to be seen how the new guidance will pan out in practice, however.
For instance, while DOJ notes that the new revisions are intended to provide transparency around DOJ policy, prosecutors will retain significant discretion over, among other things, fine reduction recommendations and subjective assessments of “good faith” efforts to clawback compensation and overall effectiveness of compliance programs. This is particularly the case where prosecutors have broad discretion to require companies entering into criminal resolutions to implement the broadly worded “compliance-related criteria” in their compensation systems. It remains to be seen whether different prosecutors can cohesively implement such a policy with a measure of predictable consistency.
Additionally, the broad scope and coverage of DOJ’s guidance is significant. In contrast to specific rules that exist for public companies and regulated entities (such as broker-dealers and investment advisers) around recordkeeping obligations and executive compensation clawbacks, DOJ’s guidance applies to all companies. The practical result may mean that private entities currently not subject to existing obligations under the federal securities laws will likely need to consider the implementation of similar programs implemented.
Finally, many companies have likely not paid much attention to sanctions and national-security related issues when building out their compliance programs. To the extent that sanctions do in fact become “the new FCPA,” companies will need to bolster or implement policies and procedures that ensure the same degree of corporate compliance in the sanctions context as has become standard in the FCPA context.