Highlights
- On the heels of its recent Corporate Enforcement Policy updates, the U.S. Department of Justice (DOJ) announced several new policies around executive compensation clawbacks, ephemeral messaging, and the intersection of corporate crime and national security.
- The eagerly expected announcements provide tangible guideposts for all companies on key hot-button issues.
- Questions persist, however, about consistent enforceability of such policies as well as material differences between DOJ's guidance and other rules under federal securities laws for public companies and regulated entities.
In back-to-back speeches to the American Bar Association's National Institute on White Collar Crime on March 2-3, 2023, U.S. Department of Justice (DOJ) Deputy Attorney General Lisa O. Monaco and Assistant Attorney General Kenneth Polite announced several significant policy changes affecting corporate criminal enforcement by the DOJ. The changes follow Monaco's Sept. 15, 2022, Department-wide memo, which laid the foundation for more detailed guidance on corporate compliance programs.1 Among the more notable changes are: 1) the rollout of a three-year Pilot Program on Compensation Incentives and Clawbacks (Pilot Program), which will require corporations who enter into criminal resolutions with DOJ's Criminal Division to include "compensation-related criteria" in their corporate compliance programs and offer fine reductions to companies that seek to clawback compensation from culpable individuals in appropriate cases; 2) detailed guidance on how DOJ will consider - among other things - corporations' approaches to, and compliance programs concerning, employees' use of personal devices, communications platforms and messaging applications; and 3) a "significant restructuring" of and surge in resources for the National Security Division (NSD), which will include the addition of more than 25 new prosecutors who will investigate and prosecute sanctions evasion, export control violations and similar economic crimes.
Although such guidance provides several specific data points on corporate compliance programs and frameworks, companies (both public and private) and regulated entities will need to reevaluate existing compliance programs to juxtapose this new guidance with current - and potentially conflicting - obligations under federal securities laws.
Executive Compensation and Clawbacks
In his speech on March 3, Polite announced two "significant changes" to DOJ policies pertaining to the evaluation of corporate compensation systems for all companies. First, Polite announced that, effective immediately, prosecutors assessing a corporation's compliance program under DOJ's guidance document, Evaluation of Corporate Compliance Programs (ECCP), "will consider more closely compensation structures and consequence management [procedures] when evaluating compliance programs." The revised ECCP provides that prosecutors may consider, for example, whether a company maintains and enforces "provisions for recoupment or reduction of compensation due to compliance violations or misconduct" or "whether a company has incentivized compliance by designing compensation systems that defer or escrow certain compensation tied to conduct consistent with company values and policies."
The ECCP emphasizes the importance of "compensation structures that clearly and effectively impose financial penalties for misconduct" in order to foster compliance and deter risks. The ECCP notes that "providing positive incentives, such as promotions, rewards, and bonuses for providing and developing a compliance program or demonstrating ethical leadership, can drive compliance" and encourages prosecutors to examine whether companies offer such incentives. Similarly, the ECCP directs prosecutors to consider whether the resolving company maintains transparent, consistent and effective processes for addressing (and redressing) misconduct.2 Prosecutors will now consider both a company's compensation structures in assessing its corporate compliance program and its "consequence management" procedures, which, as Monaco noted, aims to "shift the burden of corporate malfeasance away from uninvolved shareholders onto those more directly responsible."3
In addition to the ECCP changes, Polite announced the launch of the Pilot Program. Under the three-year Pilot Program, effective March 15, 2023, DOJ's Criminal Division will:
- require companies entering into criminal resolutions to "implement compliance-related criteria in their compensation and bonus system and to report to the Division about such implementation during the term of such resolutions," and
- direct Division prosecutors to consider possible fine reductions where companies seek to recoup compensation from culpable employees and others who both a) had supervisory authority over the employee(s) or business area engaged in the misconduct and b) knew of, or were willfully blind to, the misconduct.
Prosecutors will have discretion to design specific compliance-related requirements based on the particular facts and circumstances of the case. Per the Pilot Program, such criteria could include a prohibition on bonuses for employees who do not satisfy compliance performance requirements; disciplinary measures for employees who violate applicable law and potentially their supervisors; and incentives for employees who demonstrate full commitment to compliance processes.
Likewise, the Pilot Program provides that an additional fine reduction may be warranted where a company meets the following criteria:
- the company fully cooperates and timely and appropriately remediates;
- the company demonstrates it has implemented a program to recoup compensation from employees who engaged in wrongdoing in connection with the conduct under investigation, or others (as set forth above); and
- the company has in good faith initiated a process to recoup such compensation before the time of resolution.
In these circumstances, Criminal Division prosecutors "shall accord, in addition to any other reduction available under applicable policy, a reduction of the fine in the amount of 100% of any such compensation that is recouped during the period of the resolution."
And even where a company fails to claw back compensation from wrongdoers, prosecutors will have discretion to accord a fine reduction of up to 25 percent of the amount of compensation the company attempted to clawback. Per DOJ, "[s]uch reductions may be warranted where, for instance, a company incurred significant litigation costs for shareholders or can demonstrate that it is highly likely that it will successfully recoup the compensation shortly after the end of the resolution term."
Guidance on Use of Personal Devices, Communications Platforms and Messaging Applications
In addition to the much-anticipated guidance on executive compensation, DOJ also announced last week additional guidance on how it will consider corporate practices surrounding use of personal devices, messaging applications (including ephemeral messaging) and communications platforms in the workplace. As Polite noted in his speech, "use of these services is [now] ubiquitous," and DOJ expects corporations to both "adapt to the realities of modern life and update their policies and practices accordingly[.]" As noted in the revised ECCP, DOJ will evaluate a corporation's policies governing electronic devices and data against the backdrop of the company's risk profile and specific business needs, all the while assessing the company's ability to access and preserve electronic data and communications. In conducting this evaluation, prosecutors are directed to consider three factors:
- Communication Channels. Among other things, DOJ will consider what electronic communications channels the company and its employees use or can use. Does this vary by jurisdiction or business unit? What mechanisms has the company put in place to manage and preserve information within electronic communication channels? And what power do employees have to alter preservation or deletion settings?
- Policy Environment. What policies does the corporation have in place to allow it to secure, monitor or access business-related communications? If the company has a "bring your own device" (BYOD) program, does it maintain policies for preserving and accessing data and communications on those devices? What policies or procedures are in place to ensure that communications and other data is preserved from devices that are replaced? Overall, is the company enforcing its policies?
- Risk Management. This factor focuses on a company's ability to reasonably manage security and maintain control over company data and communications. The kinds of questions prosecutors will ask under this factor include: Is the company's approach to permitting and managing communication channels, including BYOD and messaging applications, reasonable in the context of its business needs and risk profile? Has the use of personal devices or messaging apps, including ephemeral messaging applications, impaired the company's compliance program, its ability to conduct internal investigations or respond to requests from prosecutors, civil enforcement or regulatory agencies? And, what are the consequences for employees who refuse the company access to company communications?
As Polite made clear, the bottom line is that DOJ will expect companies to maintain, communicate and enforce policies that ensure that "business-related electronic data and communications can be preserved and accessed." Companies that fail to do so, Polite warned, may find that this affects the offers they receive from DOJ to resolve criminal liability.
Expected Surge in National Security-Related Compliance Enforcement
Finally, Deputy Attorney General Monaco announced in her speech that DOJ would be making significant resource investments in NSD so that the division is able to better address a "troubling trend": the intersection of corporate crime and national security. Citing the importance of sanctions and export control enforcement in U.S. national security, Monaco noted that corporations are increasingly on the front lines of geopolitical and national security challenges. Monaco admonished business leaders to take sanctions seriously, noting that DOJ is presently handing "corporate investigations that involve sanctions evasion" across the globe, in industries as varied as transportation, financial technology (FinTech), banking, defense and agriculture. Monaco did not mince words about the importance of sanctions-related prosecutions, noting that "sanctions are the new FCPA."
To better equip DOJ in these efforts, Monaco announced that more than 25 new prosecutors would investigate and prosecute sanctions evasions, export control violations and similar economic crimes. Likewise, NSD will hire its first-ever chief counsel for corporate enforcement. In addition, NSD will begin issuing joint advisories with the U.S. Department of Commerce and the U.S. Department of the Treasury to inform the private sector about enforcement trends and "convey [DOJ's] expectations as to national security-related compliance."
Summary
DOJ's latest guidance provides tangible considerations for all companies to consider for their compliance programs. Details from the ECCP and Pilot Program provide companies and their compliance officers and employees the benefit of particular expectations and guideposts from DOJ. But several questions persist.
First, while DOJ notes that the new revisions are intended to provide transparency around DOJ policy, prosecutors will retain significant discretion over, among other things, fine reduction recommendations and subjective assessments of "good faith" efforts to clawback compensation and overall effectiveness of compliance programs. This is particularly the case where prosecutors have broad discretion to require companies entering into criminal resolutions to implement the broadly worded "compliance-related criteria" in their compensation systems. It remains to be seen whether different prosecutors can cohesively implement such a policy with a measure of predictable consistency.
Second, the breadth of DOJ's guidance cannot be overstated. In contrast to specific rules that exist for public companies and regulated entities (such as broker-dealers and investment advisers) around recordkeeping obligations and executive compensation clawbacks, DOJ's guidance applies to all companies. The practical result may mean that private entities currently not subject to existing obligations under the federal securities laws may need to consider the implementation of similar programs implemented by larger - and perhaps better resourced - entities.
Third, the contours of DOJ's policies provide different guideposts for public companies and regulated entities than they are currently subjected to under the federal securities laws and exchange-related rules. For example, recently enacted Exchange Act Rule 10D-1 covering executive compensation recoupment rules for exchange listed entities is limited to "executive officers," a more narrow subset of employees than "culpable employees" and others who both a) had supervisory authority over the employee(s) or business area engaged in the misconduct and b) knew of, or were willfully blind to, the misconduct. Additionally, for registered investment advisers, the recordkeeping obligations of Advisers Act Rule 204-2(a)(7) require maintenance of records related to, among other things, advice recommendations for clients and certain client-specific transactional communications. In contrast, DOJ's guidance suggests broader ephemeral messaging considerations for all communications related to a company's business (more in line with broker-dealer obligations under Exchange Act Rule 17a-4). The difference in scope may warrant revisiting recordkeeping and clawback policies to assess whether further revisions are necessary in light of DOJ's recent guidance.
Footnotes
1 See Holland & Knight's previous alert, "DOJ Expands Framework for Cracking Down on Corporate Crime," Sept. 19, 2022.
2 For example, the revised ECCP asks prosecutors to consider whether a company has been transparent with employees about the terms of separation for an executive who has been "exited" from the company due to a compliance violation, or whether a company has policies and practices in place to "put employees on notice that they will not benefit from any potential fruits of misconduct."
3 The revised ECCP defines compensation management procedures as procedures "to identify, investigate, discipline and remediate violations of law, regulation, or policy."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.