During speeches on March 2 and 3, 2023, at the American Bar Association (ABA) National Institute on White Collar Crime (the 2023 White Collar Conference), Deputy Attorney General (DAG) Lisa Monaco, Assistant Attorney General (AAG) for the Criminal Division Kenneth A. Polite, Jr. and other US government officials announced significant changes to the US Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (ECCP) and continued to emphasize the importance of effective and robust compliance policies.
First, DAG Monaco and AAG Polite announced DOJ’s first-ever Pilot Program on Compensation Incentives and Clawbacks (Pilot Program) requiring companies to “develop compliance-promoting criteria within its compensation and bonus systems.” The new Pilot Program—as well as announcements relating to additional resource commitments to corporate criminal enforcement—are part of DOJ’s broad initiative to “invigorate” corporate criminal enforcement and empower companies to invest “in compliance, in culture, and in good corporate citizenship.”
Second, in evaluating a company’s compliance policies relating to identifying, reporting, investigating and remediating potential misconduct, prosecutors should now consider a company’s policies and procedures relating to messaging applications (including third-party encrypted messaging applications), ephemeral messages, other communications platforms and the use of personal devices. Companies that do not adopt policies to preserve and produce such messages could jeopardize their ability to obtain a favorable resolution.
Third, DOJ repeatedly emphasized that it now considers corporate criminal enforcement to be a national security concern, even stating that sanctions enforcement “is the new FCPA.” DOJ announced a “surge of resources” to the Criminal and National Security divisions to address sanctions evasion and export controls and expects corporate compliance programs to specifically address these issues.
These changes come on the heels of DOJ’s announcement, last month, of a single corporate voluntary self-disclosure policy for every US Attorneys’ Office nationwide, and are simply the latest evidence of the Biden Justice Department’s substantial focus on corporate criminal enforcement. In speech after speech at the ABA White Collar Conference, DOJ officials emphasized the benefits to those companies willing to adopt changes to their compliance programs—and their approach to learning of potential misconduct—to account for these new policies.
COMPENSATION POLICIES SHOULD “PROMOTE” COMPLIANCE AND DETER MISCONDUCT
To “shift the burden of corporate malfeasance away from uninvolved shareholders onto those more directly responsible,” DOJ now expects executive and employee compensation structures to incentivize compliance and punish misconduct. As DAG Monaco explained, “Nothing grabs attention or demands personal investment like having skin in the game, through direct and tangible financial incentives.”
DOJ has revised the ECCP, which was last updated in 2020, to reflect DOJ’s new focus on executive compensation. The ECCP now includes specific language addressing compensation structures and their “important role in fostering a compliance culture.” When evaluating corporate compliance programs and potential criminal resolutions, prosecutors may now consider whether companies have incentivized compliance by designing compensation systems that defer or escrow certain compensation tied to conduct that is consistent with company values and policies. Prosecutors can also consider whether provisions for recoupment or reduction of compensation due to misconduct or compliance violations are maintained and enforced by company policies. Finally, prosecutors are now directed to examine whether compensation schemes are indicative of a positive compliance culture, considering the human resource process, disciplinary measures, consistent application, and a financial incentive system that rewards compliance-promoting behavior and punishes non-compliant or unethical conduct.
DAG Monaco and AAG Polite also announced DOJ’s new Pilot Program Regarding Compensation Incentives and Clawbacks. It will be a three-year initiative applicable to all corporate matters handled by the Criminal Division and will be effective as of March 15, 2023. The Pilot Program has two primary components:
Under the first component, prosecutors will now be directed to consider corporate compensation structures more closely. Every corporate resolution entered into by the Criminal Division will require the company to implement certain compliance-related criteria in its compensation and bonus system. The company will also be required to report its implementation of these criteria to prosecutors.
The Pilot Program suggests that the criteria could include:
1. A prohibition on bonuses for employees who do not satisfy compliance performance requirements.
2. Disciplinary measures for employees who violate applicable law and others who meet both of the following conditions:
a. Had supervisory authority over the employee(s) or business area engaged in the misconduct.
b. Knew of, or were willfully blind to, the misconduct.
3. Incentives for employees who demonstrate full commitment to compliance processes.
Prosecutors will have the discretion to fashion further “appropriate requirements” based on the facts and circumstances of the case, including applicable foreign and domestic laws, and they must also consider how the company has structured its existing compensation system.
Second, the Criminal Division will offer fine reductions to companies that seek to clawback compensation from employees who engage in misconduct relating to the conduct under investigation, had supervisory authority over the employee(s) or a business unit engaged in the misconduct, or were willfully blind to the misconduct. If a company—in good faith—has started a process to recoup or claw back such compensation before the time of resolution, prosecutors may reduce a criminal fine in the amount of the recouped compensation. If a company’s good-faith attempt to recoup compensation is unsuccessful, prosecutors may still reduce a criminal fine up to 25% of the amount of compensation that the company sought to claw back.
Indeed, DOJ has already begun requiring companies to implement changes to compensation policies as part of criminal resolutions. For example, in December 2022, Danske Bank pleaded guilty to bank fraud and agreed to forfeit more than $2 billion dollars. As part of the plea agreement, Danske Bank agreed to significantly revise its executive bonus system. Each bank executive will now be evaluated on whether that executive’s department is following the bank’s compliance program and is in compliance with all applicable laws and regulations. Executives who receive a failing compliance score will be ineligible for a bonus.
These changes to the ECCP and the Pilot Program are all part of DOJ’s ongoing efforts to increase “individual accountability.” But these new DOJ policies regarding compensation are not designed to address solely those executives and employees who engaged in actual misconduct. Rather, as AAG Polite explained, DOJ also expects corporate compensation policies to address “those who had supervisory authority over the employees or business area engaged in the misconduct.”
THE IMPORTANCE OF PRESERVING DATA FROM PERSONAL DEVICES AND MESSAGING APPLICATIONS
Last fall, in another series of speeches, DOJ put companies on notice of the department’s increasing concern about the rise and common use of certain messaging applications, including encrypted and ephemeral messaging applications such as WhatsApp, Signal and Telegram, by company employees for business purposes. DOJ expressed its concerns about these types of unofficial communications, which typically do not occur on company-provided or monitored programs, and its concerns that such communications might be inconsistent with an effective corporate compliance program and the need to access necessary data and information for audits, reviews or investigations, when necessary.
The newly revised ECCP specifically addresses corporations’ approaches to the use of personal devices and messaging applications, including encrypted and ephemeral messaging applications. Due to the growing prevalence of these messaging applications and corporate “Bring Your Own Device” (or “BYOD”) polices, DOJ now “expects companies to update their policies and practices accordingly.”
Perhaps more important, when evaluating a company’s compliance program, prosecutors will now be required to evaluate the company’s “policies and procedures governing the use of personal devices, communication platforms, and messaging applications.” These policies should be “tailored to the corporation’s risk profile and specific business needs” and ensure that business-related communications are accessible and preserved “to the greatest extent possible.” Prosecutors are also required to consider how these policies and procedures have been communicated to employees and whether they are enforced “on a regular and consistent basis.”
The revised ECCP also contains detailed questions prosecutors should address when evaluating a company’s policies. For example, prosecutors are now directed to determine whether a corporation’s policy allows the company to review business communications on personal devices and messaging applications and whether employees are required to transfer messages from messaging applications to company recordkeeping systems in order to preserve and retain them. Similarly, prosecutors should evaluate whether there are consequences for employees who refuse to provide access to business data on personal devices and whether any employees have been disciplined for providing such access.
In announcing the changes, AAG Polite also explained that when content from personal devices or non-company-provided messaging applications has not been produced during an investigation, prosecutors will no longer “accept that at face value” and will instead demand information regarding the company’s preservation and deletion policies and ability to access personal devices. Ultimately, whether a company has preserved and produced communications from ephemeral messaging applications and personal devices “may well affect the offer it receives to resolve criminal ability” and should therefore “be top of mind” as companies refine existing policies.
CORPORATE CRIMINAL ENFORCEMENT IS NOW BEING CONSIDERED A NATIONAL SECURITY ISSUE
In addition to announcing the above changes to existing policies, DAG Monaco, AAG Polite and other government officials repeatedly stated that DOJ now considers corporate criminal enforcement, including sanctions enforcement and export controls, to be a critical nation security concern. DAG Monaco explained that “[i]ncreasingly, corporate criminal investigations carry profound national security implications,” specifically referred to “sanctions [as] the new FCPA” and noted that these issues “should now be at the top of every company’s risk-compliance chart.” AAG Polite emphasized the “intersection of national security and corporate prosecution” during his separate speech.
Finally, Assistant Attorney General for National Security Matthew G. Olsen, Assistant Secretary for Export Enforcement at the US Department of Commerce’s Bureau of Industry and Security (BIS) Matthew S. Axelrod, and Treasury Department Director of the Office of Foreign Assets Control (OFAC) Andrea Gacki all made clear that the increased focus on sanctions and export controls and the associated enterprise risks, which have come to the forefront during Russia’s invasion of Ukraine, are here to stay.
To address these national security issues going forward, DAG Monaco announced a “surge of resources” to both its Criminal and National Security divisions. The National Security Division will be hiring more than 25 new prosecutors, including its first-ever Chief Counsel for Corporate Enforcement, to investigate and prosecute sanctions evasion, export control violations and other economic crimes. DAG Monaco and AAG Polite also announced that DOJ would be making “substantial investments” in DOJ’s Bank Integrity Unit, which has in the past decade imposed more than $13 billion in penalties in 10 corporate criminal resolutions with financial institutions for sanctions violations, despite having only 12 attorneys.
DOJ made clear that it now expects companies in a wide range of industries, such as transportation, FinTech, banking, defense, energy and agriculture, to implement compliance policies specifically designed to address sanctions evasion and export control violations. Indeed, AAG Olsen repeatedly referenced the importance of having a strong sanctions and export control compliance regime.
As DOJ ramps up enforcement in these areas, it is thus critical that companies make the necessary modifications to their existing compliance policies to account for this increased risk. If sanctions are in fact “the new FCPA,” companies must take it just as seriously.
The continuing and clear import of these collective statements is two-fold:
First, compliance programs matter, and companies will be expected to devote time and resources to making sure existing policies now address issues such as compensation and encrypted and ephemeral messaging applications, among other issues.
Second, the pressure on companies to self-report misconduct has never been greater. As DAG Monaco stated, “Where your company discovers criminal misconduct, the pathway to the best resolution will involve prompt, voluntary self-disclosure to the DOJ.” Throughout the 2023 White Collar Conference, DOJ officials, including Monaco and Polite, provided examples of companies who benefited from prompt disclosure, cooperation and remediation.
Companies assessing their compliance programs in light of these most recent announcements should give particular thought to:
Examining compensation models throughout the organization, including whether adjustments to such policies and/or employment agreements are needed in light of DOJ’s recent announcements.
Reviewing policies addressing the use of personal devices or messaging applications (including standard text messaging) for business communications that may occur outside of formal company-provided (and monitored) communication methods.
Reviewing and revising document retention and preservation policies, including understanding the current technology used by employees to conduct business and ensuring that companies have a means to access and preserve such communications.
Focusing on sanctions and export controls, even where such issues would not traditionally affect the company.
Ensuring that current programs help proactively identify and investigate wrongdoing so that the business can take advantage of the benefits of self-disclosure where appropriate.
Developing policies and procedures around how to quickly engage the right people in discussions to determine whether self-disclosure is appropriate—from compliance, to legal, to the board—before such an issue arises.
By making these changes, companies will put themselves in the best position to identify misconduct early and preserve the ability to self-report and obtain the benefit of a favorable resolution with DOJ should misconduct occur and self-reporting be appropriate.