With any new administration, the U.S. Department of Justice (DOJ) often shifts focus from one set of enforcement priorities to another. However, one area has remained a focus from administration to administration: guidance and expectations related to corporate compliance programs.
In fact, DOJ’s guidance pronouncements are seemingly more detailed and its expectations heightened, particularly over the past year. This article addresses recent DOJ guidance pronouncements and priorities, and how companies can best meet the letter, spirit and intent of compliance program expectations.
Recent DOJ corporate compliance guidance and pronouncements
Clawback pilot program
In March 2023, DOJ announced a new three-year pilot program on compensation incentives and clawbacks, which includes two key components: (1) compliance requirements for criminal resolutions; and (2) credit for compensation that has been clawed back against penalties imposed in a DOJ resolution.
According to the program, every DOJ Criminal Division corporate resolution – whether it be fraud, foreign bribery, sanctions, money laundering, or something else – will now include a requirement that the company implement criteria related to compliance in its compensation structure and to report annually to DOJ on the implementation.
The criteria “may include, but are not limited to: (1) a prohibition on bonuses for employees who do not satisfy compliance performance requirements; (2) disciplinary measures for employees who violate applicable law and others who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct; and (3) incentives for employees who demonstrate full commitment to compliance processes.”
The pilot program also offers discounts off of the penalty amount imposed by DOJ where the company fully cooperated and remediated and demonstrated it is seeking to “recoup compensation from employees who engaged in wrongdoing in connection with the conduct under investigation,” or others who were supervisors and were willfully blind to the misconduct. In such circumstances, the Criminal Division will reduce the fine amount by 100% of any clawed back compensation.
Even where a company is unable to recoup compensation, so long as it demonstrates a “good faith attempt” to do so, prosecutors have the discretion to reduce the fine by up to 25% of the amount of compensation the company sought to claw back.
Revision to Evaluation of Corporate Compliance Programs guidance
In addition to implementing the clawback pilot program, the DOJ Criminal Division also announced revisions to its Evaluation of Corporate Compliance Program guidance (ECCP), which is one of the most detailed compliance guidance documents published by enforcement authorities. Among other things, the ECCP outlines questions prosecutors ask companies in evaluating their compliance programs. The revised guidance now incorporates questions related to financial compensation as a method to incentivize compliance, as well as policies and controls around the use of messaging apps and personal devices.
With respect to clawbacks specifically, DOJ asks whether a company has “policies or procedures in place to recoup compensation that would not have been achieved but for misconduct attributable directly or indirectly to the executive or employee,” and “[w]ith respect to the particular misconduct at issue, has the company made good faith efforts to follow its policies and practices in this respect?”
In short, this suggests DOJ expects companies to put in place broad policies to allow it to recoup compensation in the event of misconduct, and to actually enforce those policies when misconduct occurs.
Unlike the clawback pilot program, the compliance guidance goes well beyond the narrow topic of clawbacks, instructing prosecutors to consider compensation “structures that clearly and effectively impose financial penalties for misconduct,” and that inject “positive incentives, such as promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership.” Likewise, the guidance asks, “whether a company has made working on compliance a means of career advancement, offered opportunities for managers and employees to serve as a compliance ‘champion’, or made compliance a significant metric for management bonuses.”
With respect to messaging apps and personal devices, the revised ECCP focuses on three new topics: communication channels, policy environment and risk management. The ECCP focuses on what communication channels the company permits and why, whether the company has given thought to how this should vary by jurisdiction and business function, and the mechanisms the company has put in place to preserve electronic communication channels (including with respect to the deletion settings on the apps).
Where companies have a “bring your own device” (BYOD) program, prosecutors will want to know what policies are in place and whether the company is permitted to review business communications on personal phones according to the BYOD policy. Prosecutors will also want to know whether the company has a policy requiring employees to transfer business-related data and information from a personal phone to company platforms, whether these policies are reasonable in light of the company’s circumstances and profile, and whether these policies are actually being enforced. Prosecutors will also probe what type of controls the company has in place to monitor and ensure compliance with these policies, and what discipline the company has imposed for employees who violate the policies.
M&A due diligence guidance
More recently, DOJ announced new guidance on merger and acquisition (M&A) due diligence, providing for a safe harbor of sorts for acquiring companies that voluntarily disclose misconduct uncovered at the target company. So long as the acquiring company discloses the misconduct to DOJ within six months of the closing, fully remediates the misconduct within one year, and pays full restitution and disgorgement, it will enjoy a presumption of a declination.
This presumption will be afforded even if the misconduct at the target company involves aggravating circumstances, such as high-level executive involvement in the misconduct, and the misconduct disclosed under this policy will not count against the acquiring company as part of a recidivism analysis in future cases. These benefits of the guidance will not be imparted to the target company, which can “potentially” qualify for a declination, and only absent aggravating circumstances. The presumption of a declination will also not be afforded when the misconduct was otherwise required to be disclosed or already public or known to the DOJ, and the policy will not protect against civil DOJ enforcement actions.
Speeches and focus on sanctions and data analytics
In addition to the new compliance guidance, DOJ officials are consistently beating the drum on the need for companies to focus on sanctions compliance and data analytics as part of the compliance program. Although these two priorities have yet to show up in DOJ’s ECCP or other compliance guidance, DOJ officials have grabbed headlines with statements like “national security laws must rise to the top of your compliance risk chart” and “sanctions are the new FCPA.”
DOJ officials have likewise emphasized the use of data analytics as part of an effective compliance program. Although they stopped short of stating that a compliance program must use data analytics or artificial intelligence in order to be effective, the clear expectation is that companies will use these tools as part of their compliance program if they are using them as part of their business.
Analysis of recent DOJ policy changes and pronouncements
It is noteworthy, and perhaps a little ironic, that regulators such as the U.S. Securities and Exchange Commission (SEC) have not released compliance guidance even close to the level of detail as DOJ. Especially because the SEC has the ability to bring, and recently has been bringing, enforcement actions based on compliance and control failures. DOJ, which does not have the ability to criminalize inadequate compliance programs, nevertheless has communicated significant guidance setting very weighty expectations for corporate compliance programs. Although this level of transparency from DOJ is admirable and provides insight into how DOJ is thinking about these issues, the guidance does raise some concerns.
Compensation clawback implications
The clawback pilot program and related guidance raises several questions and issues. Many countries restrict or preclude a company from clawing back compensation from employee wrongdoers, and thus the discounts accorded for clawbacks under the pilot program create incongruous and inequitable results for companies based solely on geography. Even when it is possible to claw back compensation, the process often entails protracted and expensive litigation, and can lead to the company being forced to turn over a considerable amount of confidential information (including from its internal investigation) to the employee.
Moreover, perhaps unintentionally, the pilot program’s design will most likely benefit companies with the most egregious misconduct because it is often the more senior executives who receive the type of compensation that can be clawed back – i.e., bonuses and equity compensation – resulting in a greater potential for clawback and thus a greater discount when senior executives are implicated in the misconduct.
More about messaging apps
Like the clawback guidance, it is more difficult to adhere to DOJ’s guidance on messaging apps and personal devices in certain countries than others as a result of employment, labor and privacy laws. Thus, regardless of whether a company has policies addressing these issues, they may be unenforceable. Perhaps more importantly, there really does not seem to be a good solution to the problem of personal devices and messaging apps, and DOJ (and SEC, for that matter) do not seem to have one. If employees use off-system communications channels and/or personal devices to engage in misconduct, there is very little a company can do to stop them, or even obtain those communications – and the cost of attempting to do so may be substantial.
What does the new guidance mean for M&A?
With respect to the M&A due diligence guidance, there are significant limitations making the value and impact of the guidance questionable. Notably, the full benefits of the safe harbor only apply to the acquiring entity, not the target company – despite the fact the acquiring entity will likely own the target company at the time of any resolution with it, and therefore will ultimately bear the reputational and financial costs of any resolution.
Moreover, there are often circumstances where the acquiring company, even with good faith robust due diligence, will not learn of the misconduct or be able to fully remediate it within the allotted time. Although DOJ qualified that the deadlines “could be extended by Department prosecutors” on a case-by-case basis, the company would have to trust the reasonableness and discretion of the DOJ prosecutors when making the decision to disclose outside of DOJ’s stated timeline. And the safe harbor will not protect the acquiring company from civil enforcement actions and will not apply if DOJ already knows about the misconduct.
Recommendations for companies on how to respond
The guidance described above does not mean companies should over-torque and necessarily devote significant resources to these areas. Despite DOJ’s claim that all companies should catapult national security to the top of their compliance risk chart, many companies may not have significant national security risk. Companies should certainly be attuned to national security risks, and DOJ’s activity in this space is noteworthy and an important consideration. However, indiscriminately dedicating resources into this area without carefully assessing the company’s risk may divert precious resources away from areas of significantly higher risk for a given company.
Likewise, as described above, clawing back compensation, depending on the circumstances, may not be worth the investment even with the increased incentives and expectations from DOJ. With respect to clawbacks, whether they can or should be pursued in any given case, in order to potentially benefit from the pilot program or DOJ credit in the future, companies can implement policies that permit them to recoup in appropriate cases.
Implementing an enterprise messaging app platform and sophisticated monitoring and control processes may help you limit the use of, and/or retain communications over, personal devices and messaging apps, and it may increase the credit you receive from DOJ and SEC if you should ever find yourself before them. Yet, it is impossible to know what actual difference this would make overall, much less in capturing or preventing the use of off-system communications to engage in misconduct, and it may not be the best approach for particular companies.
Nevertheless, companies can implement – where local law permits, at least – policies governing messaging apps and personal devices that address what messaging platforms and devices are permitted to be used for business communications. Recommended best practices regarding messaging apps include:
- Requirements and prohibitions for using personal devices and messaging apps for business
- Expectations for business communications that occur on non-approved platforms and devices, for example, that they be transferred to approved platforms
- Retention expectations for data and information on approved platforms, including what the deletion settings (to the extent the platform has them) should be set to
- Disciplinary consequences for failing to comply with these policies.
Companies should further train employees on these policies and monitor and enforce violations of them. Monitoring does not need to take the form of sophisticated analytics, but instead may be as simple as including messaging apps and personal devices as a routine item for internal audits and something that is asked about during internal investigations.
Similarly, within the policies and pronouncements, there are reasonable steps a company can take to put it in a better position with the DOJ. For example, companies should ensure national security and sanctions are one of the areas considered as part of their risk assessment, even if it may not be an obvious risk. Companies that use data analytics to promote their business should consider ways in which those analytics can be leveraged for compliance purposes.
2024 prediction
Although 2024 will undoubtedly bring with it a number of surprises, it is safe to assume DOJ will continue to focus on corporate compliance, sanctions and data analytics. This will likely include continued speeches about clawbacks, messaging apps and personal devices, M&A due diligence, data analytics, and national security, and enforcement actions that look to highlight these issues. I also predict we will see DOJ become flexible with some of the guidance it has released to account for practical issues and obstacles that arise as it tries to apply these new policies and to incentivize the type of behavior DOJ is seeking to encourage.
Top 10 Trends in Risk & Compliance
For many more insights and guidance, download the full eBook and access to the accompanying webinar featuring analysis and expert insights from Carrie Penman and Kristy Grant-Hart.