Building on attempts in recent years to strengthen the Department of Justice’s (DOJ’s) white collar criminal enforcement, on September 15, 2022, Deputy Attorney General Lisa Monaco announced revisions to DOJ’s corporate criminal enforcement policies. The new policies, and those that are in development, further attempt to put pressure on companies to implement effective compliance policies and to self-report if there are problems. Notably, the new DOJ policies set forth changes to existing DOJ policies through a “combination of carrots and sticks – with a mix of incentives and deterrence,” with the goal of “giving general counsels and chief compliance officers the tools they need to make a business case for responsible corporate behavior” through seven key areas:
- Individual Accountability and Timeliness of Corporate Cooperation: DAG Monaco noted that “the Department’s number one priority is individual accountability.” To that end, the new policies build upon the 2015 Yates Memo, requiring corporations to disclose “all relevant, non-privileged facts and evidence about individual misconduct” in a timely fashion, particularly if corporations want to receive cooperation credit. Additionally, DOJ now will “require cooperating companies to come forward with important evidence” to prosecutors “more quickly.” Thus, she emphasized that “if a cooperating company discovers hot documents or evidence [during a government investigation], its first reaction should be to notify the prosecutors.”
- Expansion of DOJ’s Voluntary Self-Disclosure Programs and Expectations That Companies Will Self-Disclose Wrongdoing: DAG Monaco stated that DOJ wants to “clarify the benefits of promptly coming forward to self-report, so that chief compliance officers, general counsels, and others can make the case in the boardroom that voluntary self-disclosure is a good business decision.” Additionally, DAG Monaco proclaimed that DOJ “expect[s] good companies to step up and own up to misconduct. Voluntary self-disclosure is an indicator of a working compliance program and a healthy corporate culture.” As explained by Principal Associate Deputy Attorney General Marshall Miller on September 20, 2022, “[E]very Justice Department component that prosecutes corporate crime cases, including the U.S. Attorney community, will now have a voluntary self-disclosure policy that defines its terms and identifies its rewards . . . any company that self-discloses promptly will not be required to enter a guilty plea—absent aggravating factors—and will not be assessed a monitor, if it has remediated, implemented and tested an effective compliance program.”
- Updated Compliance Policies Relating to Cell Phones, Laptops, and Third-Party Messaging Platforms: The updated guidance acknowledges the ubiquity of personal smartphones, tablets, laptops, and third-party messaging platforms and the significant corporate compliance risks such devices pose. Prosecutors are directed to consider whether a corporation has implemented “effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.” The guidance sets forth that “[a]s a general rule, all corporations with robust compliance programs should have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications, should provide clear training to employees about such policies, and should enforce such policies when violations are identified.” Prosecutors are directed to consider whether a corporation seeking cooperation credit has such policies in place.
- History of Misconduct: The new policies further note that “[n]ot all instances of prior misconduct . . . are equally relevant or probative.” As DAG Monaco explained, prosecutors are now directed to make analysis of the nature and circumstances of prior misconduct by a company, including, labeling as dated “criminal resolutions that occurred more than 10 years before the conduct currently under investigation, and civil or regulatory resolutions that took place more than five years before the current conduct.” The updated guidance also emphasizes being mindful when comparing corporate track records. For example, if a corporation operates in a highly regulated industry, then its history of regulatory compliance should be compared to that of similarly situated companies in that industry. However, DOJ will now “disfavor multiple, successive non-prosecution or deferred prosecution agreements with the same company” when deciding how to resolve an investigation. That said, the updated guidance emphasizes that this policy should not disincentivize corporations that have been the subject of prior resolutions from voluntary and timely self-disclosures of current or prior conduct.
- Acquisitions: As Principal Associate DAG Miller explained, DOJ does not want to deter companies with “good compliance programs from acquiring companies with histories of misconduct.” As such, he noted that DOJ believes that “[a]cquiring companies should be rewarded—rather than penalized—when they engage in careful pre-acquisition diligence and post-acquisition integration to detect and remediate misconduct at the acquired company’s business.”
- Executive Compensation: DAG Monaco noted that as part of evaluating the strength of a company’s compliance program as a factor in determining the appropriate terms of corporate resolution, DOJ will now reward companies that financially penalize employees, executives, or directors whose direct or supervisory actions or omissions contribute to misconduct. Examples of such penalties include compensation clawback measures and partial escrowing of compensation. Further, as the new policies set forth, DOJ will consider corporations’ affirmative incentives for compliance-promoting behavior, which “incentivize executives and employees to engage in and promote compliant behavior and emphasize the corporation’s commitment to its compliance programs and its culture.” While DOJ is expected to provide further guidance on this area by the end of 2022, Principal Associate DAG Miller set forth that DOJ will ask the following two questions:
- Has the company clawed back incentives paid out to employees and supervisors who engaged in or did not stop wrongdoing?
- Is the company targeting bonuses to employees and supervisors who set the right tone, make compliance a priority, and build an ethical culture?
- Independent Compliance Monitorships: The new DOJ policies set forth factors to make the monitorship process more transparent, including guidance to prosecutors relevant to evaluating whether a monitor is appropriate, selecting monitors, and performing a continued review of monitorships.
New Demands on Chief Compliance Officers
Building upon prior guidance regarding corporate misconduct, including the Yates Memo, the June 2020 “Evaluation of Corporate Compliance Programs,” and other guidance, DOJ continues to emphasize that corporate compliance programs need to be current, robust, and visible throughout the organization and that policies and procedures must be updated.
Indeed, DAG Monaco’s speech was not the first time this year that DOJ has announced new expectations about corporate compliance and how programs would be assessed and evaluated. On March 25, Assistant Attorney General Kenneth Polite announced that DOJ attorneys had been directed to consider whether a Chief Executive Officer (CEO) and/or Chief Compliance Officer (CCO) of a company should be required to certify, as part of a resolution with DOJ:
- the accuracy of annual reports submitted pursuant to corporate resolutions, and
- that the compliance program is “reasonably designed and implemented.”
This announcement was followed by a new policy announced by DAG Monaco while speaking at a Securities Industry and Financial Markets Association event on May 26, 2022. That policy requires CCOs to sign off on particular resolutions with DOJ. Touted as being designed to give greater “power” to the CCO and to ensure direct access and reporting to boards of directors, this new requirement has been met with concern as to how it will be implemented and the impact on CCOs and Boards of Directors.
There has been at least one example of the use of the new CCO sign-off requirement in a settlement. In a recent plea agreement, DOJ required that the CEO and CCO of the company certify, under penalty of perjury, that the company had complied with certain specified requirements imposed by DOJ as a condition of the agreement with respect to the establishment of a compliance program, and that the compliance program is “reasonably designed, implemented, and enforced so that the program is effective in deterring and detecting violations . . .” (in that case, of the FCPA and other anti-corruption laws).
This new requirement of certifications under penalties of perjury that a program is “reasonably designed” is ripe for differing interpretations. There is no definition given for “reasonable design.” Yet the highest-level executives of a corporation may be expected to attest to this unspecified standard as a condition of a resolution with DOJ, subjecting themselves to individual liability if their certifications are deemed “false.”
DOJ has given little comfort on this issue, indicating merely that potential liability “will depend on the facts.” However, recent DOJ publications suggest that there are some things that companies could do to ensure a satisfactory compliance effort, including:
- employee surveys and analysis of those surveys,
- tying compensation to compliance initiatives,
- effective processes for reporting potential misconduct, and
- tracking and investigating such reports.
DOJ has made it clear that this is not a comprehensive list and that more is sure to come.
While the new CCO certification policy makes plain that DOJ intends to aggressively pursue companies that, in its view, lack effective compliance programs, it places CCOs directly in the crosshairs to face individual risk. This may have a chilling effect on companies seeking to retain qualified CCOs. Must a CCO now perform her own due diligence, separate and apart from the company, in assessing the effectiveness of a compliance program in order to protect herself from potential individual liability? This is particularly noteworthy given that DOJ elected not to set forth specifically how to comply with this new standard.