Just one year after President Biden's election, senior administration officials have signaled in public remarks that the federal government will amplify enforcement pressure on corporations and their employees through increased investigatory rigor and more severe penalties, particularly for repeat offenders and companies in highly regulated industries. Recent pronouncements from senior enforcement officials within the Administration have also provided insight into key areas of focus and important policy initiatives, including:
- The Department of Justice's (DOJ) intention to "surge resources for corporate enforcement";
- Revisions to DOJ practices and policies associated with corporate criminal enforcement cases relating to (1) enhanced corporate cooperation expectations; (2) significant attention in charging decisions to prior corporate misconduct, including regulatory and civil resolutions in addition to criminal history; and (3) a renewed interest in imposing corporate compliance monitors; and
- Significant emphasis from officials at the US Securities and Exchange Commission (SEC) as well as other administrative agencies on enhanced corporate responsibility, greater consideration of recidivism in the imposition of penalties and substantial attention to gatekeepers (i.e., auditors, compliance professionals, attorneys, underwriters, etc.). Substantively, civil and administrative agencies have emphasized concerns about data privacy, cybersecurity and cryptocurrency.
These pronouncements-each of which is described in greater detail in this Client Alert and all of which complement one another and reflect significantly more enforcement risk for corporations-will assuredly have a significant impact on investigations, prosecutions, enforcement actions, corporate resolutions and related corporate compliance initiatives over the coming years.
1. "Surge" in Corporate Enforcement Resources
On October 5, 2021, Principal Associate Deputy Attorney General John Carlin announced that the DOJ is "building up to surge resources for corporate enforcement,"1 adding that the DOJ has "started to redouble the department's commitment to white collar enforcement." Those efforts include both the use of "big data" analytics to identify, investigate and then prosecute new cases (particularly in healthcare, commodities and securities matters) and the allocation of new and additional resources to corporate enforcement. Principal Associate Deputy Attorney General Carlin announced the creation of a new squad of Federal Bureau of Investigation agents that will work full time with prosecutors on white collar cases and be embedded in the DOJ's Criminal Fraud Section.
2. Changes to Corporate Enforcement Policies
On October 28, 2021, Deputy Attorney General Lisa Monaco delivered remarks at the American Bar Association's (ABA) 36th National Institute on White Collar Crime conference.2 Among other things, Deputy Attorney General Monaco announced both the creation of the DOJ's Corporate Crime Advisory Group and important changes related to the practices and policies associated with corporate criminal enforcement cases. These changes relate to (1) corporate cooperation expectations; (2) consideration of prior corporate misconduct; and (3) the imposition of corporate compliance monitors. In a series of speeches and public appearances, SEC Enforcement Division Director Gurbir Grewal has emphasized the same points, indicating close coordination between DOJ and SEC approaches in the coming years.
Corporate Cooperation Expectations
Deputy Attorney General Monaco announced that the DOJ is reverting to the "Yates Memo" policy requiring that cooperating companies disclose all non-privileged information about all individuals involved in the misconduct. This announcement reversed the DOJ's 2018 guidance requiring disclosure only of information about employees who were "substantially involved in or responsible for" the misconduct. Deputy Attorney General Monaco explained that the 2018 approach allowed companies-at the expense of prosecutors-excessive discretion in evaluating individual involvement and culpability. Director Grewal endorsed the revised DOJ approach to this issue as "perfectly in line" with the SEC's Enforcement Division views on corporate cooperation.3
Consideration of Prior Corporate Misconduct
Deputy Attorney General Monaco also announced that the DOJ will now consider all prior misconduct-rather than only a history of "similar misconduct"-when making decisions regarding corporate resolutions. This includes consideration of "the full criminal, civil and regulatory record" of a company when determining the appropriate resolution. Deputy Attorney General Monaco provided the example of a prosecutor in the DOJ's Foreign Corrupt Practices Act Unit now needing to determine whether a company has a prior history of matters with other, unrelated department units or divisions, US Attorneys' offices, regulatory agencies, or non-US or state authorities. Similarly, Director Grewal noted that the SEC will also pay attention to prior corporate misconduct when determining what penalties it should impose to resolve matters. He noted that when companies engage in the same conduct time and again in spite of previous penalties, the SEC will look to "ratchet up" sanctions. In particular, Director Grewal suggested that repeat offenders would more likely need to admit misconduct and face prophylactic remedial measures, such as monitorships or independent compliance consultants.
Imposition of Corporate Compliance Monitors
Deputy Attorney General Monaco announced that "[t]o the extent that prior Justice Department guidance suggested that monitorships are disfavored or are the exception, [she is] rescinding that guidance," a position reiterated by Environment and Natural Resources Division Assistant Attorney General Todd Kim in a November 3 speech.4 In light of the DOJ and SEC's common position, companies should expect more corporate monitorships as part of DOJ and SEC resolutions in the years to come.
Creation of the Corporate Crime Advisory Group
Deputy Attorney General Monaco announced the formation of the Corporate Crime Advisory Group. This group will be composed of representatives from every component of the DOJ involved in corporate criminal enforcement and will have a "broad mandate" to consider policy changes on topics "like monitorship selection, recidivism and NPA/DPA non-compliance-as well as other issues, like what benchmarks [the DOJ] should use to measure a successful company's cooperation."
3. Focus on Gatekeepers
At the ABA's October white collar crime conference, Director Grewal made remarks that emphasized the Commission's renewed interest in gatekeepers, which the SEC views as "the first line of defense more often than not against all manner of misconduct."5 As a consequence, the SEC will "be taking a hard look at gatekeepers like auditors and audit firms, attorneys, and underwriters."6 Director Grewal reiterated that position on November 5, when he noted that gatekeepers are responsible for companies' compliance with both the "spirit and letter of the law" and are the first line of defense against "conduct in the margins."7 SEC Chair Gary Gensler made the same point during a November 4 webcast, when he emphasized lawyers' obligation to advise clients on how to meet the SEC's expectations, rather than "just help [them] paper over cracks" or "sort of cover up . . . in the ambiguous sort of reading of something when it's across the line and the spirit of the law."8 Director Grewal has also emphasized the need for companies to tailor their compliance programs proactively to meet the needs associated with their specific business models and products.9
4. Focus on Cryptocurrency
As cryptocurrencies and other forms of digital assets become increasingly prevalent, companies should take note of the various ways in which regulators have signaled wariness about the crypto assets market.
Chair Gensler has not been shy about his view that the crypto assets market needs greater oversight. In recent testimony before the US Senate Committee on Banking, Housing, and Urban Affairs, Chair Gensler highlighted that "large parts of the field of crypto are sitting astride of . . . regulatory frameworks that protect investors and consumers, guard against illicit activity, and ensure for financial stability." To address this "Wild West,"10 Chair Gensler has instructed the SEC staff (1) to work with other financial regulators within the current legal framework to protect investors in the crypto assets market and (2) to identify opportunities for additional legislation to fill regulatory gaps that exist.11 Director Grewal has confirmed the SEC is looking closely at "unregistered and fraudulent initial coin offerings, unregistered crypto exchanges, and crypto-lending and award programs" in particular.12 Chair Gensler has urged attorneys specifically to help crypto companies register with the SEC rather than skirt regulatory regimes.13
The SEC is, of course, not alone in its focus on cryptocurrencies and other digital assets. For example, the acting Chairman of the Commodity Futures Trading Commission (CFTC), Rostin Behnam, noted during his confirmation hearing to become CFTC Chairman that, when it comes to digital assets, the CFTC has been "one of the few cops on the beat because of limited statutory authority related to anti-fraud and anti-manipulation" and that the CFTC's recent enforcement actions related to digital assets are just the "tip of the iceberg."14
The DOJ too is focused on cryptocurrency risks. Deputy Attorney General Monaco announced in October that the Department has created the National Cryptocurrency Enforcement Team to "draw on the [DOJ's] cyber and money laundering expertise to strengthen [its] capacity to dismantle the financial entities that enable criminal actors to flourish [and profit] from abusing cryptocurrency platforms."15
5. Focus on Cybersecurity
In light of the many cybersecurity debacles over the past 18 months,16 cybersecurity has also emerged as a top issue for law enforcement and regulators.
The SEC has conducted extensive sweeps to gather information about recent cyber intrusions and has made public statements concerning the importance of cybersecurity in safeguarding the US securities markets. As evidence of its new focus on this issue, the SEC has highlighted enforcement actions against eight financial firms for "failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm,"17 and charges brought against an issuer for failing "to maintain disclosure controls and procedures designed to ensure that all available relevant information concerning" a vulnerability that exposed sensitive customer information was analyzed for disclosure.18 More recently, the SEC brought an action against a foreign issuer for "making material misstatements and omissions regarding a 2018 cyber intrusion that affected" student data from customer accounts in the United States.19 Notably, two of these cybersecurity-related cases in recent months were brought against public companies, which suggests a more aggressive focus on disclosure failures. Chair Gensler has also indicated that the SEC will consider cybersecurity-related rulemaking, to prompt enhancements to issuers' "disclosures regarding cybersecurity risk governance."20
The DOJ too is focused on cybersecurity. Deputy Attorney General Monaco has described the cyber-threat environment as "more aggressive; more sophisticated; and more belligerent in terms of what the actors are doing," and the DOJ is keen on addressing the risks that the environment presents.21 In April 2021, Deputy Attorney General Monaco announced at the Munich Cyber Security Conference that the DOJ would launch a strategic 120-day cybersecurity review.22 As a result of the review, the DOJ has implemented the Civil Cyber-Fraud Initiative,23 which will investigate and penalize cybersecurity-related fraud by federal contractors and grant recipients under the False Claims Act. The Initiative will take to task the "entities or individuals that put US information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches."24
In October, Director of the Federal Trade Commission's (FTC) Bureau of Consumer Protection Samuel Levine announced that the FTC has updated its Safeguards Rule, which now details "common-sense steps" that "[f]inancial institutions and other entities that collect sensitive consumer data . . . must implement to protect consumer data from cyberattacks and other threats."25
As the Biden Administration's corporate enforcement priorities come into focus, companies should keep in mind the three points of emphasis common to all recent Biden Administration pronouncements-corporations should expect "robust enforcement," "robust remedies" and "robust compliance."26 Companies should prepare for these initiatives with:
- Focus on their "gatekeeper" functions-internal audit, legal and compliance, for example-to ensure they have adequate resources, are empowered within the organization and have sufficient autonomy from the business.
- Active assessment of compliance programs and related controls, to confirm that they are tailored to the company's risks and that they adequately monitor for and remediate misconduct.
- Attention to key areas of emerging risk, such as cryptocurrency and cybersecurity, and focus additional compliance resources as needed.
Of course, as Deputy Attorney General Monaco noted, "Looking to the future, this is a start-and not the end-of this administration's actions to better combat corporate crime." All signs indicate a robust corporate enforcement environment in the years to come.
1 John Carlin, Principal Associate Deputy Attorney General, Department of Justice, Keynote Speech for GIR Connect: New York (Oct. 5, 2021), https://globalinvestigationsreview.com/news-and-features/in-house/2020/article/john-carlin-stepping-doj-corporate-enforcement.
2 Lisa O. Monaco, Deputy Attorney General, Department of Justice, Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA's 36th National Institute on White Collar Crime (Oct. 28, 2021), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.
3 Gurbir Grewal, Director, Division of Enforcement, Securities and Exchange Commission, Remarks at Program on Corporate Compliance and Enforcement at the NYU School of Law, The Next Wave of Corporate Enforcement Conference (Nov. 5, 2021).
4 This view of monitorships as "the exception" in the prior administration's DOJ correlated with a drop in the number of corporate monitorships imposed as a part of corporate resolutions. Indeed, after then-Assistant Attorney General for the DOJ's Criminal Division Brian A. Benczkowski published a new guidance memorandum regarding monitor selection on October 12, 2018 (see https://www.wilmerhale.com/en/insights/client-alerts/20181015-doj-announces-new-policy-on-assessing-the-need-for-and-selection-of-corporate-monitors), the DOJ required independent monitors in only five of the 31 non-prosecution or deferred prosecution agreements entered into by the DOJ in 2019; none were imposed in 2020. Robert Anello, Who Watches The Store? Drastic Decline Of Corporate Monitors Under Trump (Sept. 8, 2020), https://www.forbes.com/sites/insider/2020/09/08/who-watches-the-store-drastic-decline-of-corporate-monitors-under-trump/?sh=4a88c00873f0.
5 Stewart Bishop, Top Enforcement Officials Eye Individual Prosecutions, Crypto, Law360 (Oct. 27, 2021), https://www.law360.com/fintech/articles/1435304.
6 Stewart Bishop, Top Enforcement Officials Eye Individual Prosecutions, Crypto, Law360 (Oct. 27, 2021), https://www.law360.com/fintech/articles/1435304.
7 Gurbir Grewal, Director, Division of Enforcement, Securities and Exchange Commission, Remarks at Program on Corporate Compliance and Enforcement at the NYU School of Law, The Next Wave of Corporate Enforcement Conference (Nov. 5, 2021).
8 Al Barnarino, Gensler To Attys: Don't Help Crypto Cos. Hide From The SEC, Law360 (Nov. 5, 2021), https://www.law360.com/compliance/articles/1437927.
9 Gurbir Grewal, Director, Division of Enforcement, Securities and Exchange Commission, Remarks at Program on Corporate Compliance and Enforcement at the NYU School of Law, The Next Wave of Corporate Enforcement Conference (Nov. 5, 2021).
10 Gary Gensler, Chair, Securities and Exchange Commission, Testimony Before the United States Senate Committee on Banking, Housing, and Urban Affairs (Sept. 14, 2021), https://www.banking.senate.gov/imo/media/doc/Gensler Testimony 9-14-21.pdf?campaign_id=4&emc=edit_dk_20210914&instance_id=40340&nl=dealbook®i_id=70730586&segment_id=68859&te=1&user_id=d2459ee53daabf5e543e42e89edb1431.
11 Gary Gensler, Chair, Securities and Exchange Commission, Testimony Before the United States Senate Committee on Banking, Housing, and Urban Affairs (Sept. 14, 2021), https://www.banking.senate.gov/imo/media/doc/Gensler Testimony 9-14-21.pdf?campaign_id=4&emc=edit_dk_20210914&instance_id=40340&nl=dealbook®i_id=70730586&segment_id=68859&te=1&user_id=d2459ee53daabf5e543e42e89edb1431.
12 Stewart Bishop, Top Enforcement Officials Eye Individual Prosecutions, Crypto, Law360 (Oct. 27, 2021), https://www.law360.com/fintech/articles/1435304.
13 Al Barnarino, Gensler To Attys: Don't Help Crypto Cos. Hide From The SEC, Law360 (Nov. 5, 2021), https://www.law360.com/compliance/articles/1437927.
14 Rostin Behnam, Acting Chairman, Commodity Futures Trading Commission, US Senate Committee on Agriculture, Nutrition, and Forestry Nomination Hearing to be Chairman and a Commissioner of the Commodity Futures Trading Commission (Oct. 27, 2021), https://www.agriculture.senate.gov/hearings/to-consider-the-following-nomination-the-honorable-rostin-behnam-of-maryland-to-be-chairman-and-a-commissioner-of-the-commodity-futures-trading-commission.
15 Press Release, Department of Justice, Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-national-cryptocurrency-enforcement-team.
16 See, e.g., Ben Kochman, DHS Added To List Of Gov't Agencies Hit By Nation-State Hack (Dec. 14, 2020), https://www.law360.com/articles/1337459/dhs-added-to-list-of-gov-t-agencies-hit-by-nation-state-hack; Kartikay Mehrotra and William Turton, CNA Financial Paid $40 Million in Ransom After March Cyberattack, Bloomberg (May 20, 2021), https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack; Stephanie Kelly and Jessica Resnick-Ault, One password allowed hackers to disrupt Colonial Pipeline, CEO tells senators, Reuters (Jun. 8, 2021), https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08/; Rebecca Robbins, Meat processor JBS paid $11 million in ransom to hackers, N.Y. Times (Jun. 9, 2021), https://www.nytimes.com/2021/06/09/business/jbs-cyberattack-ransom.html.
17 Press Release, Securities and Exchange Commission, SEC Announces Three Actions Charging Deficient Cybersecurity Procedures (Aug. 30, 2021), https://www.sec.gov/news/press-release/2021-169.
18 Order Instituting Cease-and-Desist Proceedings, In the Matter of First American Financial Corporation, Securities Exchange Act of 1934 Rel. No. 92176, File No. 3-20367 (Jun. 14, 2021).
19 Order Instituting Cease-and-Desist Proceedings, In the Matter of Pearson plc, Securities Act of 1933 Rel. No. 10963, Securities Exchange Act of 1934 Rel. No. 92676, Administrative Proceeding File No. 3-20462 (Aug. 16, 2021).
20 Office of Information and Regulatory Affairs, Regulation Identifier Number 3235-AM89 (Spring 2021), accessed at https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202104&RIN=3235-AM89.
21 Lisa O. Monaco, Deputy Attorney General, Department of Justice, Deputy Attorney General Lisa O. Monaco and Assistant Attorney General Kenneth A. Polite Jr. Deliver Opening Remarks at the Criminal Division's Cybersecurity Roundtable on 'The Evolving Cyber Threat Landscape' (Oct. 20, 2021), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-and-assistant-attorney-general-kenneth-polite-jr.
22 Maggie Miller, Justice Department to undertake 120 day review of cybersecurity challenges, The Hill (Apr. 30, 2021), https://thehill.com/policy/cybersecurity/551195-justice-department-to-undertake-120-day-review-of-cybersecurity.
23 Press Release, Department of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
24 Press Release, Department of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
25 Press Release, Federal Trade Commission, FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches (Oct. 27, 2021), https://www.ftc.gov/news-events/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial.
26 Gurbir Grewal, Director, Division of Enforcement, Securities and Exchange Commission, Remarks at Program on Corporate Compliance and Enforcement at the NYU School of Law, The Next Wave of Corporate Enforcement Conference (Nov. 5, 2021).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.