Since the beginning of the Biden administration, US Department of Justice (DoJ) officials have emphasized a renewed focus on corporate criminal enforcement, but the statistics tell a different story.
In 2021, for example, FCPA penalties were at their lowest since 2015, with only $525 mn collected, compared with the yearly average of $2.56 bn from 2016 to 2020. FCPA penalties increased in 2022 to roughly $1.5 bn but remained far from the high-water mark.
To tackle this decline, the DoJ has made several not-so-subtle attempts to invigorate its corporate enforcement program. It recently published a revised corporate enforcement and voluntary self-disclosure policy (CEP), which it promoted through the public remarks of several high-level DoJ officials.
Deputy Attorney General Lisa Monaco, for example, called the new policy a ‘carrots and sticks’ approach, including both sweeter carrots and bigger sticks than before. It offers companies that self-report misconduct a greater chance at a declination and gives prosecutors more latitude to provide greater benefits to companies that co-operate with the department.
But the policy also implies that companies that do not self-disclose will face harsher penalties than ever before. Companies navigating this new enforcement environment must understand the policy in detail (including what it does not clearly lay out), assess their own exposure, consider new investments in compliance and – despite what the DoJ says – disclose selectively.
RECENT POLICY CHANGES
One of the most significant changes to the policy is the expansion of the range of cases that qualify for a declination. Previously, a company was ineligible for a declination if a case involved aggravating circumstances, which the DoJ defined to include involvement of executive leadership in the misconduct, significant profits to the company from the wrongdoing, egregious or pervasive misconduct or criminal recidivism.
Under the new policy, which applies to all matters under the criminal division’s jurisdiction, a company can obtain a declination even in the presence of aggravating circumstances when it voluntarily self-reports the misconduct, shows that at the time of the misconduct it had an effective compliance program, provides ‘extraordinary’ co-operation with the investigation and undertakes ‘extraordinary’ remediation.
The new policy opens up the possibility for recidivist companies to receive credit for self-disclosure and gives prosecutors more latitude to offer greater benefits for co-operation. Indeed, aside from increasing the fine reduction companies may earn – from 50 percent to as much as 75 percent off the applicable US sentencing guidelines fine range – the policy for the first time allows recidivist companies to obtain a similar reduction.
For a recidivist company, however, the reduction will likely not be off the low end of the fine range. And either way, in order to qualify, recidivist and non-recidivist companies must not only self-disclose but also show that at the time of the misconduct they had an effective compliance program and system of internal controls in place, provide extraordinary co-operation with the investigation and undertake extraordinary remedial measures to cure the effects of the misconduct.
The new CEP also sweetens the co-operation credit for companies that do not self-disclose. First, a company that does not self-disclose, but later fully co-operates and both timely and appropriately remediates, now may receive up to 50 percent off the low end of the fine range (assuming there are no aggravating circumstances).
Second, where the company does not self-disclose and aggravating circumstances are present, prosecutors will still have discretion to accord a reduction of up to 50 percent, but it generally will not be off the low end of the fine range. In all cases, companies will be required to pay disgorgement, forfeiture and/or restitution as applicable.
WHAT SHOULD COMPANIES DO TO LIMIT EXPOSURE?
Will the DoJ’s new policy and guidance incentivize companies to disclose early and often? That’s unlikely and probably unwise. That is particularly so when there are no public test cases to give companies comfort that the DoJ’s new approach will result in leniency. This being the case, it is only natural that both general and outside counsel will hesitate to report most violations.
The new CEP asks companies to make two major bets: first, that a significant investment in upgrading the compliance program will reduce enforcement exposure, and second, that the benefits of potentially over-reporting violations outweigh the risks of under-reporting. It also asks companies to provide information that may lead to the prosecution of individual employees in exchange for leniency for the company.
Companies should consider taking several steps to best preserve the option to self-report and to avail themselves of the full range of benefits available to companies that do so under the new CEP.
First and not surprisingly, the revised CEP clearly emphasizes the importance of having effective compliance programs – both at the time of the misconduct and the time of resolution – when prosecutors are making their charging decisions. The DoJ has also continued to devote resources to its ability to meaningfully evaluate the adequacy and effectiveness of companies’ compliance programs.
Together, this provides legal and compliance departments with additional leverage to advocate for renewed and updated investments in their compliance programs. Indeed, the government has provided additional guidance about what it is looking for: hard data showing that the program works. As a matter of good governance and to position themselves for the best outcome should a criminal investigation arise, companies should redouble their efforts to conduct regular risk assessments of their business and to make enhancements to their compliance programs and internal controls based on the results of those risk assessments.
Second, therefore, companies will need to carefully prioritize their compliance investments relative to their legal exposure, including evaluating areas of greatest risk, assessing where the company is already collecting relevant data and where it may need to begin doing so and partnering with tech vendors to build out robust risk assessment tools and mechanisms.
In-house and outside counsel will need to be alert to managing new areas of risk that come with this process. For example, companies may have to collect and preserve new types of data they may not previously have retained, even some previously considered ephemeral, such as messages from chat apps, or beyond the company’s own purview, such as texts on employees’ personal phones or internal records of business affiliates.
These challenges will be more acute for multinational companies operating in vastly different data privacy environments simultaneously. Companies will also need to allocate enough employee time to review incoming information and respond appropriately.
Again, experienced counsel can advise on how to handle different types of reports, determining which ones are harbingers of potential crisis and which ones can be resolved through internal procedures. Integrating compliance data collection and analytics with that of other business processes is a smart move that should lead to operational efficiencies as well as reduced legal exposure.
‘TAKING THE DOJ’S BIGGEST BET’
But companies should be wary of taking the DoJ’s biggest bet: that immediate disclosure of every potential violation is the best way to reduce overall exposure. It is not.
First, any report to the DoJ will, at minimum, impose the burden of co-operation. Co-operating is costly, invasive, potentially damaging to relationships and opportunities and requires companies to give up a lot of control. The new guidance does not in any way suggest that it seeks to relieve this pain, even as it promises leniency in the ultimate outcome.
Second, companies – particularly those with robust compliance programs and sophisticated real-time compliance data – will inevitably become aware of violations of minor or unknown significance and may question whether to report them given the DoJ’s new guidance encouraging companies to report all violations immediately.
But it’s hard to see this as anything more than hopefulness on the government’s part. Given the burdens of co-operation and the comparative likelihood that minor violations may never come to light otherwise, it is simply unreasonable for the DoJ to expect a company to report small issues that do nothing more than prove its compliance program works.
Even for more serious violations, company leaders need time to investigate and consult with counsel about the best way forward, so it is unlikely that immediate reporting will be feasible, let alone desirable, even for issues a company may ultimately choose to disclose.
So why report at all? The downside risk of a failure to report is sizable, particularly for a significant violation that may come to light anyway. Companies taking this path will be on the hook not just to disgorge any ill-gotten gains, but also to pay a fine calculated under the US sentencing guidelines. This fine, even with co-operation discounts, could be many multiples of the loss incurred.
Even worse, in a situation involving multiple companies and/or individuals, any one company may be liable for a multiple of the total amount at stake in the overall scheme, not just the loss it individually caused. Ultimately, the DoJ’s carrots are mediocre, but its sticks are large and potentially daunting.
The decision of whether to self-report is highly individualized. Under certain circumstances, it may be to a company’s greater advantage. By enhancing its compliance program in advance of learning of any misconduct, a company will position itself to realize that advantage, and to co-operate more effectively should it choose to self-disclose.
Nonetheless, even for a company with a stellar compliance program, the choice to report a violation is not an obvious one. As the numbers show, the DoJ has not been particularly active in recent years and appears unlikely to go after most minor violations on its own.
Ultimately, whether to bring a case to the DoJ’s attention is a challenging decision that can only be made in partnership with counsel who knows the company’s business inside and out. In the early days of this new paradigm, there is still uncertainty about how prosecutors will observe the guidance in practice.
Avoid being the test case. Modernize your company’s compliance program and have trusted counsel on speed-dial. With proactive measures in place, the choice of whether or not to report will become a strategic, rather than a reactive, one.
Colleen Lauerman and Daniel Rubinstein are partners in Sidley Austin’s Washington, DC and Chicago offices, respectively. Meredith Aska McBride is a managing associate in the Chicago office and Kamila Rivas is an associate in the Washington, DC office