On December 13, 2019, the National Security Division (“NSD”) of the U.S. Department of Justice (“DOJ”) released a revised enforcement policy (“the Policy”) meant to encourage companies to voluntarily self-disclose potentially willful export control and economic sanctions violations. The Policy – which applies only to matters brought by the NSD’s Counterintelligence and Export Control Section – builds on guidance issued in October 2016. It now offers companies concrete incentives to self-disclose directly to the NSD and proactively cooperate, including a presumption that they will receive a non-prosecution agreement and will not have to pay a fine or be appointed a monitor. Crucially, disclosure must be directly to the NSD; a company cannot obtain benefits under the Policy through disclosure solely to regulatory agencies.
The new Policy endeavors to set clear expectations for cooperators who voluntarily self-disclose.
Under the Policy, a company that makes a voluntary self-disclosure of a potentially willful violation1 will receive a non-prosecution agreement, will not pay a fine and will not be subject to a monitor, as long as no aggravating factors are present and the disclosure comports with the numerous requirements outlined in the Policy. To qualify, and as discussed in more detail below, a company must:
(1) Voluntarily self-disclose to the NSD,
(2) Fully cooperate with the DOJ’s investigation, and
(3) Timely and appropriately remediate any identified issues.
This is a substantial change from the previous and superseded policy, which merely provided that companies “may be eligible for a significantly reduced penalty” but provided no guarantees.
If aggravating factors are present2, but a company has otherwise complied with the above requirements, it would still receive favorable treatment. While a company in this scenario may need to accept a deferred prosecution agreement or guilty plea, it would still receive a 50 percent reduction in the fine amount, and no monitor would be imposed if the company has implemented an effective compliance program – saving the company significant time and expense. Under the Policy, however, even if a company receives a non-prosecution agreement, it may not retain any of the unlawfully obtained gains – it must pay disgorgement, forfeiture and/or restitution.
The updated Policy now applies to financial institutions and successor companies.
The DOJ’s 2016 guidance did not apply to financial institutions. At the time, the NSD reasoned that financial institutions already had extensive reporting obligations and could benefit under the general DOJ voluntary disclosure policy applicable to all businesses. This update allows financial institutions – which are already required to file Suspicious Activity Reports with and report blocked property to the Treasury Department – to receive the same self-disclosure advantages as businesses in other industries if they disclose to the NSD a potentially willful violation. Because the NSD is now offering material benefits to companies that voluntarily disclose, it would be unfair to continue to exclude financial institutions.
The Policy also applies to violations uncovered following a merger or acquisition. This is consistent with the DOJ’s approach to successor companies that discover wrongdoing in the Foreign Corrupt Practices Act (“FCPA”) context. If a company uncovers misconduct by the merged or acquired entity through timely due diligence, post-acquisition audits or compliance integration efforts, and then discloses the violation and takes action consistent with the Policy, it will receive the same benefits as other companies who voluntarily self-disclose potentially willful violations.
Benefiting from the Policy.
To get the full benefits of cooperation, a company must comply with a number of conditions – many of which pose strategic challenges.
- A company must disclose to the NSD within a “reasonably prompt time” after becoming aware of the offense. This must be before there is an imminent threat of disclosure or government investigation, and the burden of demonstrating timeliness of the disclosure is on the company. The timing of the disclosure is especially significant because the Policy provides that a company that chooses only to self-report “to a regulatory agency and not to DOJ” will not qualify for voluntary self-disclosure benefits in any subsequent DOJ investigation. This may present challenges for companies that initially disclose what they believe to be an inadvertent violation to the Office of Foreign Assets Control (“OFAC”) of the U.S. Department of Treasury or the Bureau of Industry and Security (“BIS”) of the U.S. Department of Commerce, only to discover later that the violation may have been willful.
- A company must disclose the relevant facts known to it at the time of the disclosure and provide rolling disclosures as it learns additional information. The Policy recognizes that, at the time of disclosure, a company may not yet know all relevant facts, but at a minimum, a company must initially disclose the identity of individuals substantially involved in or responsible for the violation.
- The Policy requires proactive – rather than reactive – cooperation, such as informing the DOJ of relevant evidence not in the company’s possession. This requirement is inherently subjective, and there are comparable examples in the FCPA context where the DOJ found a company’s cooperation fell short and therefore denied it full cooperation benefits.
- In addition to sharing the results of its internal investigation, a company must cooperate with the DOJ’s request to “de-conflict,” or defer internal witness interviews in deference to the government’s investigation, and to make relevant company officers and employees available for interviews with the DOJ.
- A company must preserve, collect and disclose relevant documents and information. Importantly, this requires a company to identify all available legal bases for the government to obtain overseas documents that may implicate data privacy, blocking statutes or foreign laws.
- In addition, and consistent with the DOJ’s FCPA Corporate Enforcement Policy, a company must timely and appropriately remediate the misconduct, including conducting a thorough root cause analysis, implementing an effective compliance program, disciplining culpable employees and supervisors and retaining business records. The latter remediation requirement may prove to be a challenging element for global companies in light of foreign privacy laws and increasingly common practices. To effectively remediate, companies must implement appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms consistent with potentially conflicting legal obligations.
These requirements are in addition to meeting the provisions contained in the Justice Manual’s Principles of Federal Prosecution of Business Organizations.
This move corresponds with the DOJ’s broader goals to incentivize self-reporting.
The revised Policy signals the DOJ’s continued emphasis on rewarding corporate voluntary self-disclosure. While there are many benefits to voluntary self-disclosure, the decision to disclose potentially criminal conduct should never be made lightly and, if a company chooses to take this path, the disclosure must be well coordinated to ensure the company is able to take full advantage of available relief.
1 A willful violation is an act done with the knowledge that it is illegal. The government is not required to show, however, that the defendant was aware of the specific law, rule or regulation that it violated.
2 Aggravating factors include – but are not limited to – exports of particularly sensitive items, exports to end users of heightened concern, repeat violations, the knowing involvement of senior management, or significant profits from the unlawful activity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.