Nicholas McQuaid, the second-in-command of the Department of Justice's Criminal Division, spoke recently at the American Conference Institute's 15th Annual Forum in Houston on the FCPA.

Here are some of the key takeaways:

  • Effective advocacy: McQuaid shared what he found particularly effective in corporate presentations to DOJ:
    • It is "incredibly encouraging" when a chief compliance officer participates and demonstrates "a deep understanding of their own programs and the broader context of the business," and "you can tell that they are empowered to make decisions, ask questions."
    • It is also helpful when senior management participate to show that the company has both an "empowered CCO and real buy-in from leadership."
    • Effective presentations show results from testing of compliance data, how the testing program is structured, and a "clear indication" that the company has held "themselves accountable for their compliance performance even before the DOJ has come on the scene."
    • Conversely, companies fare poorly when it appears they adopted "a set of policies that came off the shelf [and] weren't well-targeted," or a program that "didn't have a lot of thought or buy-in from the broader company."
  • Data is essential: "There is no way to have a meaningful compliance program that doesn't use data of some kind," McQuaid said. The DOJ does not expect all companies to employ sophisticated data analytics, but "every company has data of some kind" and must have "intentionality about how to use that data in how to evaluate the effectiveness of their compliance programs, based on the nature of the company and their capacity." Every company must be able to articulate six things:
  1. the business areas, locations, or activities they have identified as risks;
  2. the data they collect to manage those risks;
  3. the warning signs they look for in that data;
  4. why they think those signs will effectively identify problems;
  5. how rigorously they monitor the data; and
  6. how they hold themselves accountable for performance.

Conversely, DOJ is troubled when data are siloed or any part of the company does not analyze it through a compliance lens.

  • Relevance of prior misconduct: In the October 2021 Monaco Memo, DOJ announced that it would consider the entirety of a company's past violations, even if those incidents involve different laws, regulators, or jurisdictions. McQuaid noted that DOJ is "still working hard to develop" precisely how it will weigh prior misconduct. In his view, a similar resolution by the same corporate entity will be more relevant than an unrelated resolution by a different entity, but the point of the Monaco Memo is that everything should be considered.
  • "Stay tuned": The Criminal Division has "a very robust pipeline" of investigations that started from whistleblowers, voluntary disclosures, and leads from enforcement authorities in other countries. Companies should "stay tuned" and expect to see "significant resolutions" over the next year, including cases against individuals and in areas that have received less attention in the past..

A common theme from officials at the conference is that getting in the best position to deal with the threat of enforcement starts well before DOJ calls, including through a compliance program that is well attuned to the business's activities, a coherent and well-executed strategy on data, and a robust response to issues that arise.

Don't hesitate to reach out to the author or your trusted advisors at Arnold & Porter if you have questions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.