Just before the Thanksgiving holiday, the US Department of Justice (DOJ) published revisions to its Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy (CEP). The revisions clarify that companies should self-disclose potential violations as early as possible, as opposed to waiting to disclose potential violations until after an investigation has been substantially completed.
The CEP — which is part of DOJ’s Justice Manual and serves as nonbinding guidance in criminal cases outside the FCPA context — encourages companies to voluntarily self-disclose potential misconduct by establishing a rebuttable presumption that DOJ will decline to prosecute a company for FCPA violations if the company (i) voluntarily self-discloses misconduct; (ii) fully cooperates with DOJ’s investigation; and (iii) takes timely and appropriate remedial action. The CEP also sheds light on how DOJ assesses compliance, remediation, and potential penalty reductions (for when a declination is not appropriate).
The latest revisions "recognize" that a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure, especially where only preliminary investigative efforts have been possible.” To reflect this, DOJ changed the CEP to clarify that a company need only disclose “all relevant facts known to it at the time of the disclosure” relating to “any individuals substantially involved in or responsible for the misconduct at issue” (emphasis added). The previous version of the CEP required disclosure of all the facts a company knew (without referring to the time of the disclosure) about “all individuals substantially involved in or responsible for the violation of law.” Under the revised CEP, companies need now disclose only “relevant evidence not in the company’s possession” when the company knows about such evidence; previously, the CEP required companies to share “opportunities for [DOJ] to obtain” evidence from third parties whenever the company knew of such an opportunity or “should [have been] aware” of such an opportunity (emphasis added).
In sum, these changes:
- let companies obtain the benefits of self-disclosure based on preliminary investigations without carving the initial self-disclosure in stone (i.e., companies can breathe easier about not losing credibility if their subsequent investigation requires them to revise their preliminary findings);
- this mirrors self-disclosure frameworks at other US government agencies, such as the process for voluntarily self-disclosing potential sanctions violations to the Office of Foreign Assets Control through initial and final disclosures;
- no longer require a company to determine that a “violation of law” has occurred, thereby potentially alleviating the risk of civil liability to shareholders, lenders, and other third parties, as well as regulatory impacts (e.g., loss of licenses or special statuses) that may otherwise arise when a company acknowledges that its employees have broken the law; and
- relieves companies of the broad obligation to inform DOJ of “opportunities” for collecting evidence that companies “should be aware of,” and limits what must be disclosed to the evidence that reporting companies actually know.
It remains to be seen what guidance DOJ’s partner in FCPA enforcement—the US Securities & Exchange Commission (SEC)—may provide on these topics. Several recent declinations under the CEP were accompanied by multimillion-dollar SEC penalties. Managing joint disclosures to DOJ and the SEC may, therefore, remain a delicate process.
Parallel SEC risk notwithstanding, it is clear from DOJ’s recent round of revisions to the CEP that DOJ hopes to entice more companies to self-report, and to self-report earlier, by addressing some of the practical issues and complexities that arise in investigations.