Importance of Strengthening Corporate Compliance Program to Address Increased and Harsher Enforcement Policy Issued by U.S. Authorities

A.Increased Enforcement and Messaging by the DOJ and SEC

For several months now, the SEC has been messaging increased and harsher enforcement. For example, on October 13, 2021, the Director of Enforcement for the SEC, Gurbir Grewal, stated that the Enforcement Division of the SEC would “recommend aggressive use of these prophylactic tools [i.e., admissions, officer/director bars, conduct based injunctions, and undertakings] to protect investors and the marketplace, and relatedly the public’s trust that all institutions and individuals are playing by the same rule set.” Director Grewal noted a particular focus on recidivists: “When a firm repeatedly violates our laws or rules, they should expect that the remedial relief we seek will take that repeated misconduct into account.”

This messaging was echoed and magnified on October 28, 2021, by Deputy Attorney General (“DAG”) Lisa Monaco, who announced significant changes to the DOJ corporate enforcement program during her speech at the American Bar Association’s National Institute on White Collar Crime. DAG Monaco announced that the DOJ would “surge resources” to white collar enforcement, providing as an example “a new squad of FBI agents [that] will be embedded in the Department’s Criminal Fraud Section,” responsible for FCPA cases, financial fraud, and healthcare fraud. She also announced a number of policy changes. First, the DAG announced that the DOJ would revert to an earlier formulation in its memorandum on “Individual Accountability for Corporate Wrongdoing” (the so-called Yates Memo), which required that, in order to receive cooperation credit, companies under investigation would need to provide information related to all individuals involved in the alleged misconduct. In 2018, the Trump Administration narrowed the Yates Memo’s effect by requiring companies only to provide information related to individuals “substantially involved in or responsible for” the alleged misconduct. According to the DAG, the “substantially involved in or responsible for” limitation is “confusing in practice and afford[s] companies too much discretion in deciding who should and should not be disclosed to the government,” and also “ignores the fact that individuals with a peripheral involvement in misconduct may nonetheless have important information to provide to agents and prosecutors.” Whether this change will allow the government to charge more corporate officers and employees engaged in misconduct is unclear, but the change will require companies to meet a heightened standard to receive cooperation credit.

Second, the DAG announced that in reaching a resolution, prosecutors should consider “all prior misconduct . . . when it comes to decisions about the proper resolution with a company, whether or not that misconduct is similar to the conduct at issue in a particular investigation.” Thus, “[a] prosecutor in the FCPA unit needs to” determine whether the company has “run afoul of the Tax Division, the Environment and Natural Resources Division, the money laundering sections, the U.S. Attorney’s Offices, and so on,” as well as “whether this company was prosecuted by another country or state, or whether this company has a history of running afoul of regulators.”

This change will significantly broaden the scope of misconduct that prosecutors consider when determining whether and how to resolve a corporate criminal investigation. Many companies – particularly large corporations – routinely face regulatory scrutiny by different authorities, both domestic and foreign. Such actions – even those involving the lowest level employees and totally unrelated conduct – are now fair game for DOJ to consider as part of any resolution. And while the DAG conceded that “[s]ome prior instances of misconduct may ultimately prove to have less significance,” the consideration of prior misconduct and resolutions will almost certainly lead to harsher treatment of corporations.

In addressing what changes are yet to come, the DAG stated that the DOJ will be reviewing “whether and how to differently account for companies that become the focus of repeated DOJ investigations” and whether Non-Prosecution Agreements (“NPAs”) and Deferred Prosecution Agreements (“DPAs”) are appropriate for such companies. If a decision is made that companies with prior DOJ resolutions will automatically be forced to resolve matters by pleading guilty, this may decrease the incentives these companies have to self-disclose misconduct to the government and cooperate with the government’s investigation.

Third, the DAG stated that, to the extent that prior DOJ guidance suggested that monitors were “the exception and not the rule” or that “monitorships [were] disfavored,” she is “rescinding that guidance.” The DAG’s remarks signal a meaningful increase in the appointment of monitors.

Fourth, the DAG forecasted heightened scrutiny of companies’ compliance with the requirements of their prior criminal resolutions with the Department, which follows the disclosures made by two companies that the DOJ has declared them in breach of existing resolution agreements, one a Non-Prosecution Agreement (NPA) and one a Deferred Prosecution Agreement (DPA).

In addition to the changes that the DAG announced, the DAG also revealed the creation of a Corporate Crime Advisory Group composed of representatives from across the DOJ with corporate enforcement experience, to review and evaluate existing corporate enforcement policies and to determine what additional changes should be made. The group has already begun meeting and will examine, among other issues, “monitorship selection, recidivism and NPA/DPA non-compliance — as well as other issues, like what benchmarks we should use to measure a successful company’s cooperation.”

B.Heightened Focus on Anti-Corruption

Although the DOJ and SEC have been forecasting increased and harsher enforcement across all white collar cases, one area that has received particular attention in the Biden Administration is corruption.

On June 3, 2021, President Biden issued the Memorandum on Establishing the Fight Against Corruption as a Core United States National Security Interest (the “Anti-Corruption Memo”). The Anti-Corruption Memo directed senior figures from the administration’s national security team to oversee an interagency review to take stock of existing U.S. government anti-corruption efforts and to identify and seek to rectify perceived gaps in the fight against corruption.

On December 6, 2021, the Biden administration released the United States Strategy on Countering Corruption (the “Strategy”) as the first major step pursuant to the Anti-Corruption Memo. The Strategy outlined the administration’s plans to elevate and modernize its fight against corruption, and in doing so, provided insights into certain methods and areas of focus of enforcement.

The fact that the Biden administration continues to study, analyze, and issue pronouncements related to anti-corruption efforts, in and of itself, signals that enforcement in this area will continue—and likely increase—in the future. The Strategy points towards the use of new investigatory and prosecutorial tools to assist in increased enforcement, such as the Anti-Money Laundering Act of 2020’s (“AMLA”) recent expansions of subpoena power over financial records maintained abroad. Additionally, the Strategy reiterates the administration’s focus on the potential of cryptocurrency to facilitate illicit payments by noting the DOJ’s newly established National Cryptocurrency Enforcement Team, which focuses exclusively on investigations and prosecutions of criminal misuses of cryptocurrency.

In order to further prioritize and amplify anti-corruption efforts, the Strategy also highlights the need to enhance corruption-related research and data analytics in order to more effectively map corruption networks, proceeds, and dynamics. In line with its objective to modernize corruption-related research, the Strategy seeks to improve information-sharing both domestically and with international partners. The DOJ and SEC have consistently touted the importance of data and data analytics in identifying and investigating white collar crime, including corruption. The Strategy also spotlights the State Department’s project to create an open platform that will assist foreign partners through the use of distributed ledger technology and data analytics in enhancing transparency and oversight of illicit assets, detection of money laundering trends, and identification of suspicious transactions and sanctioned entities.

In addition to focusing on corruption in general, the Strategy also announces that the administration will develop anti-corruption action plans targeting “priority countries,” as part of enhanced country-specific and regional strategies. Although the Strategy does not name specific “priority” countries, anti-corruption enforcement has been particularly active in Latin America, Asia, and Africa. Given these signals that the administration plans to focus its anti-corruption efforts on high-risk countries and regions, expectations for companies operating in such areas will be correspondingly high. While it is unclear what methodology the administration will use to identify “priority countries,” several organizations already index countries by corruption risk, such as Transparency International, the international Financial Action Task Force (“FATF”), and the World Bank.

Also of note, the Administration highlighted its international focus by emphasizing its aim to bolster the capacity of foreign partners and to enhance support to civil society initiatives and projects. To that end, the Strategy expands the use of diplomacy and foreign assistance as leverage in seeking international cooperation to bolster partner governments’ capacities and willingness to counter corruption. Specifically, the administration pledged through the DOJ and State Departments, among others, to “deepen cooperation with and assistance to countries with the political will for meaningful anti-corruption efforts . . . including, where appropriate, partnering with countries in joint investigations and prosecutions.” For instance, the Strategy indicates plans to coordinate multilaterally on sanctions, law enforcement, and detecting and disrupting kleptocracy. These plans include establishment of an interagency Democracies Against Safe Havens Initiative, led by the State Department, to engage with foreign partners in these areas.

The Strategy also focuses on strengthening the international anti-corruption “architecture” by, among other things, committing the U.S. to assist international partners, including through financial support and strengthening their implementation of existing anti-corruption frameworks and institutions, such as the U.N. Convention Against Corruption, the Organization for Economic Cooperation and Development’s (“OECD”) Anti-Bribery Convention, and the FATF. Notably, the OECD released new anti-bribery recommendations last month, which promoted heightened law enforcement and international cooperation, revision of tax regulations, strengthening of corporate accounting and internal controls functions, and the use of suspension and debarment in public procurement programs.

These efforts would follow increased cooperation and coordination more generally in the anti-corruption space, as demonstrated by a host of coordinated resolutions between the DOJ, SEC, and foreign authorities in Brazil, France, Singapore, and the U.K., among others. Notably, while the Strategy promises expanded partnerships with foreign countries and increased diplomacy, it does not set forth a specific plan to counter the advent of blocking statutes restricting the provision of information to the Department of Justice, such as the International Criminal Judicial Assistance Law in China.

C.Enhancing Corporate Compliance Programs

The DOJ and SEC place heavy emphasis on whether a company has undertaken efforts to strengthen its compliance program, both at the time that the misconduct took place as well as in response to learning of the misconduct. The DOJ Criminal Division’s Assistant Attorney General, who oversees all FCPA cases for the DOJ and who himself is a former Chief Compliance Officer of a Fortune 500 company, recently said of compliance programs, “if you are proactive now, and you properly resource these programs, and you give them the power to actually be independent, there will be significant rewards for your organization.”

The DOJ has issued guidance regarding the types of compliance-related questions that prosecutors will ask in determining whether an FCPA enforcement should be brought and what that enforcement action should look like. See Evaluation of Corporate Compliance Programs, updated June 2020 (“DOJ Compliance Guidance”). Although this guidance was issued by the DOJ, the SEC asks similar questions and will judge compliance programs based on similar standards.

The DOJ Compliance Guidance covers a wide range of topics, but its purpose is to understand a company’s rationale for compliance decisions and the evidence that the compliance program is working. As a result, a key focus of companies should be to track and document all compliance events, including training, hotline reports and the manner in which those reports are handled, third party due diligence and steps taken to measure and strengthen the compliance program. Without such documentation, companies will not be able to provide sufficient evidence to regulators that the compliance program is effective.

The DOJ and SEC have also continued to refine and heighten their expectations around a company’s culture of compliance. Whereas in the past, the DOJ and SEC referred to a company’s “tone at the top,” the DOJ Compliance Guidance instead focuses on “conduct” and “commitment by senior and middle management.” Regulators look at actions taken by senior and middle management to determine whether the company has a strong culture of compliance, including whether compliance is a topic of board discussions and examples of deals or transactions that were rejected or modified due to compliance risks.

One of the most important features of a compliance program is how a company responds to an allegation of misconduct. Based on the DOJ Compliance Guidance and statements by regulators, there are multiple steps that a company should undertake. First, the company should investigate the conduct to determine whether, in fact, there has been a corrupt payment or fraud, and the circumstances surrounding that potential violation of law. For example, the DOJ Compliance Guidance provides that “[a]n effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.” Id. at 16. Prosecutors are instructed to determine whether the company’s investigation was properly scoped, independent, objective, appropriately conducted, and properly documented. Id.

Second, the company should undertake a “root cause analysis” to understand and address the misconduct, take sufficient disciplinary actions against the wrongdoers, and enhance its compliance program to reduce the risk of the misconduct reoccurring. Regulators expect companies to determine the cause of the misconduct and/or compliance and control failures that allowed the misconduct to occur. Id. at 17. This includes determining whether there were any systemic issues identified, what controls failed, whether the policies and procedures sufficiently prohibited the misconduct, whether they were effectively implemented, and whether those with ownership of any control failures were held accountable. Likewise, if the misconduct related to improper payments, prosecutors are instructed to determine how the misconduct was funded (e.g., purchase orders, employee reimbursements, discounts, petty cash), what processes could have prevented or detected the use of these funds, and how those processes could be improved.

Once the nature and extent of the cause(s) of the misconduct is determined, companies should take appropriate disciplinary measures. The DOJ Compliance Guidance instructs prosecutors to examine the company’s disciplinary actions in response to the misconduct and whether such actions were timely, whether managers and supervisors were held accountable for misconduct that occurred under their supervision even if they were not involved in the misconduct, and how the company has undertaken discipline in the past for prior misconduct. Id. at 18.

Finally, companies should undertake sufficient remedial measures to reduce the risk of reoccurrence of the misconduct. This can include training and control and compliance enhancements. The training should include lessons learned from the misconduct, as well as (where possible) alerting employees to disciplinary actions taken in response to the misconduct. Id. at 6. It is often best to provide such information in an anonymized fashion so as not to infringe upon any privacy or labor rights of the disciplined employees. The control and compliance enhancements should be tailored to the issues that gave rise to the misconduct. For example, if third-party vendors were involved in the misconduct, the control and compliance enhancements should strengthen the diligence process for vendors and create additional independent controls around payments to, and scrutiny of, the vendors.

By taking steps to enhance your compliance program, and responding appropriately to misconduct, you are putting your company in the best position to prevent misconduct from occurring in the first place, and to argue to regulators that your company deserves more lenient treatment.