On March 2 and 3, 2023, the U.S. Department of Justice (“DOJ”) announced several
updates to its corporate enforcement policies, in significant part formalizing recent
pronouncements about corporate compliance programs. Deputy Attorney General Lisa
Monaco and Assistant Attorney General Kenneth A. Polite, Jr. announced these updates
in remarks at the ABA’s National Institute on White Collar Crime. In particular, DOJ:
- revised its guidance to federal prosecutors relating to the Evaluation of Corporate
Compliance Programs, most notably regarding how companies approach (i) the use of
personal devices and different communications platforms and (ii) corporate
compensation systems; - launched a Compensation Incentives and Clawbacks Pilot Program that requires
settling companies to include compensation-related criteria in their compliance
programs and offers criminal fine reductions for companies that claw back
compensation from individual wrongdoers; and - revised its Memorandum on Selection of Monitors in Criminal Division Matters to,
among other things, include the 10 factors introduced in the September 2022 Monaco
memo to clarify how DOJ selects monitors.
Consistent with corporate enforcement memos released in October 2021 and September
2022, these changes reflect DOJ’s continued prioritization of incentivizing companies to
help deter criminal conduct in the first place. This includes developing and
implementing effective programs that foster a compliance-promoting culture and
holding individual wrongdoers accountable. The changes are intended in part to assist
in-house legal and compliance personnel and other executives in making the case for
investing in compliance rather than treating it principally as a cost center.
The Revised Evaluation of Corporate Compliance Programs (“ECCP”)
The ECCP features a lengthy list of questions that DOJ uses to evaluate companies’
compliance programs when making charging decisions, including whether to impose a
monitor or other compliance obligations. The Fraud Section of DOJ’s Criminal Division
issued its first ECCP in February 2017, which it then revised in April 2019 and June 2020.
Since 2019, DOJ has structured the ECCP around three core questions, namely whether
a compliance program is: (1) well designed; (2) applied earnestly and in good faith; and
(3) working in practice.
The revised ECCP adds additional requirements to the guidance on two increasingly
important aspects: monitoring off-system communications and implementing
compliance-promoting compensation structures.
Off-System Communications
The proliferation of personal devices and third-party messaging apps can present
significant compliance challenges for companies. In today’s business world, much
communication happens via text and messaging apps rather than email or other
corporate systems more easily monitored. First and foremost, this is an issue for brokerdealers and other regulated entities subject to stringent recordkeeping requirements
under the federal securities laws. As noted in our 2022 Year in Review, several Wall
Street banks and brokerages recently agreed to pay a combined $1.8 billion to resolve
investigations brought by the SEC and CFTC relating to off-system communications.
However, DOJ in particular has broadened the focus to all companies, even those
without such specific recordkeeping obligations. The 2022 Monaco Memo provided a
“general rule” that all companies’ compliance programs should contain effective and
enforced policies governing the use of personal devices and messaging platforms, as well
as clear employee training and enforcement of such policies. In our recent article in Reuters on this topic, we offered 10 practical compliance steps for companies to
consider.
DOJ’s revised ECCP now includes a detailed section on the Criminal Division’s
expectations regarding how companies approach the use of personal devices and
messaging applications. Prosecutors are now explicitly instructed to consider the
relevant communications channels, policies and risk mitigation, including:
- the types of electronic communication channels used by a company and its
employees and their preservation and deletion settings (particularly important with
ephemeral messaging platforms where messages disappear instantly); - whether the company employs a “bring your own device” (BYOD) policy and
associated preservation and similar policies; - how policies and procedures governing the use of messaging applications are tailored
to the company’s risk profile and how they ensure that business-related electronic
data and communications can be preserved and collected, if needed (e.g., in the FCPA
context where companies operate in foreign jurisdictions where text messaging on
personal devices or the use of apps like WeChat, WhatsApp or Signal may be more
common for business communications); and - how policies and procedures have been communicated to employees, and whether
they are enforced on a regular and consistent basis.
Importantly, AAG Polite noted in announcing the revisions that a “company’s answers –
or lack of answers may very well affect the offer it receives to resolve criminal liability.”
The bottom line is companies need to understand common messaging platforms and
how they are used by their employees.
Compliance-Promoting Compensation Structures
Following a similar move by the SEC last October, the revised ECCP emphasizes that
the design and implementation of compensation systems play important roles in
fostering a culture of compliance. In the revised “Compensation Structures and
Consequence Management” section (previously called the “Incentives and Disciplinary
Measures”), DOJ added a number of questions that help determine how a company’s
compensation system contributes to or undermines an effective compliance program.
Prosecutors are instructed to consider how a company’s HR process, disciplinary
measures and financial incentives foster a compensation structure that promotes and
prioritizes compliance, and how effective that structure is in practice.
More specifically, prosecutors now should consider (among other things) whether a
company:
- maintains and enforces policies and procedures that allow compliance performance
to proactively and retroactively influence compensation packages, for example,
through compensation systems that (i) recoup or reduce compensation in the wake
of compliance violations via deferred or escrowed payments, particularly for
compensation that would have not been earned but for the violations and also (ii)
reward exemplary compliance behaviors with bonuses, establishing opportunities for
employees to serve as compliance “champions” and making compliance performance
a key metric for career advancement; - tracks metrics and other data relating to disciplinary actions to measure effectiveness
of the investigation and consequence management functions (e.g., effectiveness and
consistency of disciplinary measures across seniority levels, business units and
regions) and adapts as needed its practices based on the analysis of those findings;
and - maintains a nimble compliance function that gathers insights from its hotline and
other indicia of compliance performance (e.g., the number of allegations
substantiated and the average investigation duration) and is therefore able to evolve
and adapt.
Compensation structures that effectively impose financial penalties for misconduct can
deter employees’ risky or “gray area” behavior by pinning the expenses of wrongdoing
on culpable persons’ wallets. Companies should involve Compliance department
personnel in designing, approving and awarding financial incentives, including for
personnel in senior levels of the organization.
Hotline Data Analytics
The revised “Compensation Structures and Consequence Management” section also
includes new metrics for companies’ hotline data. These include how hotline
substantiation rates compare for similar types of wrongdoing across a company, such as
across states, countries, or departments, or in comparison to similar companies.
Additionally, based on that analysis, companies are expected to conduct root cause
analysis for areas where conduct is relatively underreported or overreported.
Compensation Incentives and Clawbacks Pilot Program
Relatedly, DOJ also launched its first-ever Pilot Program on Compensation Incentives
and Clawbacks, allowing prosecutors to acknowledge clawbacks and thereby reduce
corporate fines. The program, which will run for three years before being extended or
modified:
- requires that companies entering a corporate resolution involving the Criminal
Division develop compliance-promoting criteria within their compensation and
bonus systems and report to DOJ annually about their implementation during the
resolution term; and - for companies that fully cooperate, timely and appropriately remediate, and have
implemented programs to recoup compensation, reduces the applicable criminal fines by the amount of compensation the company attempts to claw back from
culpable employees and those who “(a) had supervisory authority over the
employee(s) or business area engaged in the misconduct and (b) knew of, or were
willfully blind to, the misconduct.” This clawed-back portion stays with the
company and does not go to DOJ, effectively doubling the value of any clawback by
reducing its penalty obligations in addition to receipt of the clawback itself.
Acknowledging the expenses around pursuing clawbacks, such as potential litigation
costs, the program will ensure that companies that pursue clawbacks in good faith but
without success are still eligible to receive a fine reduction of up to 25% of the targeted
recoupment amount.
DAG Monaco explained that DOJ’s “goal is simple: to shift the burden of corporate
wrongdoing away from shareholders, who frequently play no role in misconduct, onto
those directly responsible.”
Revised Memorandum on Selection of Monitors in Criminal Division Matters
DOJ also issued a revised memo on the Selection of Monitors in Criminal Division
Matters, which builds off the 2018 Benczkowski Memo and incorporates updates
previewed in the October 2021 Monaco Memo and the September 2022 Monaco Memo
(discussed in our September 2022 FCPA Update) to clarify how DOJ selects monitors.
The slightly revised memo provides clarity on four fronts:
- Prosecutors should neither apply a presumption for nor against monitors, but
instead should consider the provided 10 (non-exhaustive) factors when assessing the
appropriateness of a monitor; - Many of the requirements for monitors also apply to monitor teams;
- Monitor selections are made according to DOJ’s commitment to diversity, equity and
inclusion; and - The cooling off period has been increased from no less than two years to no less than
three years from the date of the monitorship’s termination.
These changes clarify the process around implementing monitorships, particularly with
respect to when monitorships may be required and which candidates are available to
perform the monitorship.
Cooling Off Period
Although these revisions are aimed squarely at ensuring the independence of monitors,
the breadth of the requirements may leave a shallower pool of candidates available to
take on particular monitorships. The cooling off period, i.e. the period within which the
company may not conduct other business with the monitoring firm/individual after the
monitorship’s end, was increased from two years to three years. This provision also
included language outlining the various prohibited relationships, including “any
employment, consultant, agency, attorney-client, auditing, or other professional
relationship” with the company or any of its personnel, subsidiaries, affiliates,
successors, or agents.
Further, monitor candidates must certify that they, their firms, and their team members
have no current or former interest in or relationship with the company or affiliated
entities or personnel. As many companies seek legal advice and other professional
services from multiple firms, this requirement may significantly reduce the number of
candidates available to perform a monitorship.
Future Implications
In many ways, revisions to the ECCP and monitorship memo involve DOJ formalizing
guidance it has offered over the past few years rather than any sort of sea change to the
enforcement environment. That said, the formality, and indeed the repetition of the
guidance, amplifies DOJ’s priorities and further guides what companies can expect from
the enforcement process.
Notably, it remains to be seen how companies implement this guidance (especially
DOJ’s increasingly complex and high expectations) and how DOJ will react to those
efforts. These policy guideposts should help companies better direct their compliance
resources and draft their internal policies. However, DOJ’s actual enforcement
resolutions undoubtedly will provide the best measure of corporate efforts against DOJ’s
expectations and the benefits that DOJ is correspondingly willing to extend. While there
have been some positive signs on this front, such as the ABB Ltd. DPA, DOJ has shown
its teeth recently too, including recently extending Ericsson’s monitorship and imposing
an additional $206 million fine for breach of its DPA. We will be watching closely
upcoming resolutions for indications of precisely how DOJ applies its escalating
expectations in assessing cooperation and compliance programs on the ground.