New Requirements Place Onus on Corporations to Demonstrate more Compliance Capabilities to Receive Consideration from Prosecutors

On September 15, 2022, Deputy Attorney General ("DAG") Lisa Monaco spoke at New York University and outlined the Department of Justice's ("DOJ") "Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group" ("DAG Memo") released the same day. DAG Monaco's speech and the DAG Memo provide important insights for compliance leaders in six areas: (1) individual accountability; (2) prior misconduct; (3) voluntary self-disclosures; (4) corporate culture and evaluation of compliance programs; (5) independent compliance monitors; and (6) DOJ's commitment to transparency.

Collectively, the announced new policy changes and several future policies outlined further reinforce recent DOJ expectations that companies must fully empower their compliance functions, and for compliance leaders to refine their programs to meet these expectations. In this client alert, Ankura highlights the major takeaways from DAG Monaco's speech and the DAG Memo and provides considerations for compliance leaders seeking to incorporate these changes in their compliance programs.

Individual Accountability

DAG Monaco emphasized that the DOJ's top priority in corporate criminal enforcement is to expedite individual prosecutions and further indicated that the DOJ will seek to complete investigations and file individual charges at the same time as corporate resolutions. The DAG Memo requires companies to disclose all relevant, non-privileged facts to allow DOJ to assess individual culpability. Any evidence that a company has either delayed or intentionally withheld information may result in the reduction or elimination of cooperation credit. In the context of cooperation, the DAG Memo recognizes that foreign data privacy laws, blocking statutes, and other restrictions may impact the production of documents located overseas. Still, it requires companies to promptly reveal these restrictions and identify reasonable alternatives to provide requested facts and evidence.

Compliance Considerations

  1. Creation of a responsive reporting structure: Corporate investigations and periodic reporting should have defined timelines and gated reviews to allow for prompt initial and follow-up reporting to the government.
  2. Incorporation of individual accountability scope in corporate investigations: Incorporate the prompt and focused assessment of individual accountability and misconduct, and require identification and safeguarding of relevant documentation to allow for early reporting to DOJ or regulatory agencies.
  3. Identification of foreign data privacy laws: Proactively monitor and assess the impact of foreign data privacy laws on the ability to produce information relevant to individual misconduct. Assessments should include consideration of alternatives and proactively identify data that should be maintained in the United States.

Prior Misconduct

DAG Monaco's speech, and the accompanying DAG Memo, include important criteria concerning the assessment of prior misconduct. Older issues of misconduct (criminal resolutions occurring more than 10 years before the conduct under investigation, or civil/regulatory resolutions more than 5 years before the same conduct) will receive less weight, as they are presumably less reflective of the current state of a company's compliance culture and program. When considering prior misconduct, the DOJ will assess whether it involved the same root cause and/or involvement of the same personnel or executive leadership.

Additionally, the DOJ will look at similarly-situated companies in a highly regulated industry to determine whether the company is an outlier. In the context of personnel, involvement of the same personnel could indicate a lack of compliance commitment, poor culture or inadequate oversight. Similarly, the same root cause in multiple cases may indicate inadequate remediation, or other serious program shortcomings.

Of note, the DAG Memo indicates that multiple NPAs/DPAs are generally disfavored, especially when similar misconduct, personnel, or entities are involved. DOJ prosecutors must obtain written approval from the responsible U.S. Attorney or Assistant Attorney General and provide notice to the Office of the Deputy Attorney General prior to entering into multiple NPAs/DPAs for a corporation.

Finally, the DOJ will not treat as recidivists acquirers of companies with a history of compliance so long as the acquired entity's compliance issues are addressed as part of the integration process.

Compliance Considerations

  • Incorporate relentless root cause analysis as an essential component of the investigative process
  • Require development of a defined and effective remediation workplan
  • Document the execution of remediation taken both prior to, and after, an NPA or DPA
  • Include compliance in pre-acquisition due diligence and incorporate compliance into post-acquisition integration planning
  • Ensure proper training, and in serious cases, discipline of personnel involved in prior misconduct.

Voluntary Disclosures

DAG Monaco reiterated DOJ policy that the clearest way for a company to avoid a guilty plea or indictment is a voluntary self-disclosure, as such disclosure is a sign that the company has an effective compliance program and a culture of compliance. Noting the successful voluntary self-disclosure programs administered by multiple DOJ components (Anti-Trust Division, Criminal Division, and National Security Division), DAG Monaco directed all other components which prosecute corporate crime to implement programs to incentivize voluntary self-disclosures and publish a formal, documented policy, including the benefits to be received by reporting companies.

The DAG Memo outlines the core principles regarding voluntary self-disclosure: (1) the DOJ will not pursue a guilty plea in the absence of aggravating factors if the company voluntarily self-discloses, fully cooperates, and engages in timely remediation of criminal conduct; (2) the DOJ will not impose an independent compliance monitor if the company demonstrates at time of resolution that it has implemented and tested an effective compliance program. DAG Monaco noted the substantial savings in fines, penalties, and costs, as well as the collateral consequences of suspension, disbarment, and reputational damage.

Compliance Considerations

  • Incorporate voluntary self-disclosure procedures into internal reporting and investigations policy
  • Align voluntary self-disclosure procedures with particularized guidance released by relevant DOJ components
  • Work with corporate general counsel or external counsel to make voluntary self-disclosures to applicable DOJ components (and other applicable regulators) as early as possible.

Corporate Culture and Evaluation of Compliance Programs

When seeking a prosecution or other enforcement action, DOJ will consider the state of a company's compliance program (1) at the time of the incident and (2) at the time of the charging decision. This provides companies with the opportunity to demonstrate significant progress towards compliance and influence the resolution outcome. While DOJ previously identified criteria for evaluating compliance programs, such as how companies measure and identify compliance risk, the DAG Memo identifies additional factors relevant to the evaluation of a compliance program and culture: (1) compensation structures and (2) use of personal devices and third-party applications.

Compensation Structures

With respect to compensation structures, the DAG Memo notes that "[c]orporations can help to deter criminal activity if they reward compliant behavior and penalize individuals who engage in misconduct". From a deterrence perspective, companies should hold individuals personally accountable. Prosecutors will consider how compensation agreements, arrangements, and packages penalize current or former employees, executives, or directors involved in the misconduct. Examples of retroactive discipline may include clawback measures or partial escrowing of compensation. From an incentive perspective, the DAG Memo requires an assessment of how compensation systems provide affirmative incentives, including use of compliance metrics and benchmarks, to reward compliance-promoting behavior, further strengthening compliance commitment and culture. Importantly, the DAG Memo requires prosecutors to look beyond the policy and assess the actual use of these clawback procedures to address the conduct at issue.

DAG Monaco tasked the Criminal Division to develop further guidance by the end of the year on how to reward corporations with compensation clawback policies and other means to shift the impact of corporate financial penalties away from shareholders and onto those directly responsible.

Use of Personal Devices and Third-Party Applications

Referencing the increasing use of personal electronic devices, as well as third-party messaging platforms (including ephemeral and encrypted messaging), the DAG Memo explicitly requires prosecutors to assess how companies address the use of personal devices and messaging platforms in assessing compliance program effectiveness and company cooperation. Minimally, the DOJ expects companies to have effective policies, provide clear training, and enforce policies in the event of a violation. Companies seeking cooperation credit should have policies to enable it to collect and provide prosecutors all non-privileged responsive documents contained on phones, tablets, and other devices used for business purposes.

DAG Monaco has also tasked the Criminal Division to study best practices in these areas and incorporate them into the next iteration of the DOJ's Evaluation of Corporate Compliance Programs.

Compliance Considerations

  • Work with Human Resources leadership to incorporate incentives and deterrence procedures into overall human resources processes, including, but not limited to compensation
  • Work with IT leadership to develop and issue guidance on appropriate business use of personal devices and ephemeral/encrypted messaging applications
  • Conduct oversight on the implementation of and compliance with these procedures
  • Refine these procedures to reflect ongoing updates to applicable DOJ guidance when published by the Criminal Division

Compliance Monitorships

Requirement for a Compliance Monitor

The DAG Memo reinforces the guidance issued in its October 2021 Memorandum that the DOJ will not have a general presumption concerning the imposition of a compliance monitor. The decision is fact driven and may include consideration of a list of ten non-exhaustive factors outlined in the DAG Memo. These factors may be organized into the following categories: engagement with regulators, nature of criminal conduct, the effectiveness of remediation, and future risk.

Engagement with regulators

  • Voluntary self-disclosure of the underlying misconduct satisfying the DOJ component's self-disclosure policy
  • Subject to oversight from industry regulators or monitoring imposed by another domestic or foreign enforcement authority.

Nature of criminal conduct

  • Long-lasting or pervasive criminal conduct across the company or which was approved, facilitated, or ignored by senior management, executives, or directors
  • Criminal conduct involving exploitation of an inadequate program or internal controls
  • Criminal conduct involving active participation of compliance personnel or failure by compliance personnel to appropriately escalate or respond to red flags.

Effectiveness of remediation

  • Implementation of an effective compliance program at the time of resolution and after a thorough risk assessment
  • Adequate testing of the compliance program and internal controls to demonstrate detection and prevention of similar misconduct
  • Implementation of adequate investigative or remedial measures to address underlying criminal conduct.

Future risk

  • Substantial change such that the risk of recurrence of the misconduct is minimal or nonexistent at the time of resolution
  • Unique risks or compliance challenges with respect to particular regions, sectors, or customers.

Selection of a Compliance Monitor

The DAG Memo requires prosecutors to employ consistent and transparent procedures in the selection of a compliance monitor, including a documented selection process. The DAG Memo requires each component that does not have a monitor selection process to create one prior to December 31, 2022. Each selection process must incorporate elements to promote consistency, predictability, or transparency: (1) creation of a standing or ad hoc monitor-selection committee, including an ethics or professional responsibility representative to address conflicts; (2) incorporation of the DOJ's commitment to diversity and inclusion; and (3) notification of the appropriate U.S. Attorney or Department Component Head of the decision.

Oversight of a Compliance Monitor

The DAG Memo requires that the monitor responsibilities and scope be well-defined and recorded in writing, with a clear workplan to be agreed by the compliance monitor and the corporation. The DAG Memo also requires prosecutors to remain apprised of the compliance monitor's work and communicate with the compliance monitor and the company. For their part, compliance monitors must provide prosecutors with regular updates about monitorship work and promptly alert prosecutors of issues. In reviewing the monitorship, DOJ prosecutors should consider the reasonableness of the monitor's review and may determine whether the initial term is longer than required or the scope is broader than necessary. As DAG Monaco indicated in her remarks, the DOJ will ensure that each monitorship is tailored to the misconduct and compliance deficiencies and exercise ongoing oversight to verify the monitor stays on task and budget – "[W]e recognize our obligations to stay involved and monitor the monitor".

Compliance Considerations

  • Implement remediation measures as soon as possible, including during the investigation phase, to address either potential or actual misconduct
  • Identify all applicable root causes and corrective actions through rigorous analysis and soliciting input from an array of stakeholders to reduce the risk of recurrence
  • Test updated controls and program effectiveness prior to a resolution to assess the effectiveness of remedial measures
  • Set up regular touchpoints with the monitor and DOJ on the company's cooperation with the monitor and progress against the monitor's workplan, as well as ongoing efforts to respond to monitor requests for information.

Transparency

DAG Monaco signaled DOJ's commitment to transparency related to resolving criminal cases. The DAG Memo requires each resolution lays out an agreed-upon set of facts, as well as describe the factors DOJ used to enter into an agreement. These factors include, but are not limited to, the company's voluntary self-disclosure, cooperation, and remedial efforts; cooperation credit; seriousness and pervasiveness of the criminal conduct; history of misconduct; state of the compliance program at the time of the incident and time of resolution; and, reasons for imposing a compliance monitor. The DAG Memo states that "[a]bsent exceptional circumstances, corporate criminal resolution agreements will be published on the [DOJ's] public website."

Compliance Considerations

  • Conduct regular reviews of criminal resolution agreements and assess lessons learned for your own compliance program
  • Design, implement, and test additional controls to address risk of similar misconduct.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.