On October 25, 2018, John Cronan, Principal Deputy Assistant Attorney General of the Criminal Division of the US Department of Justice (DOJ), delivered an important speech that touched on several key issues for legal and compliance counsel trying to balance business realities with regulator expectations, particularly with respect to compliance with the US Foreign Corrupt Practices Act (FCPA). Of particular note, Cronan discussed:
- The application of the DOJ’s FCPA Corporate Enforcement Policy;
- The DOJ’s expectations as to what constitutes full cooperation in the course of an investigation;
- The use of coordinated resolutions; and
- The recent update to the DOJ’s policy on implementing monitors as part of an enforcement resolution.
The Corporate Enforcement Policy and voluntary disclosure
As noted in our prior client alert in November 2017, the DOJ announced a significant update to its process for evaluating and rewarding corporate cooperation and self-disclosure in FCPA cases. The DOJ subsequently clarified that the policy applies in the M&A context and expanded the policy to apply in non-FCPA cases as well. An important component of that policy is whether a company voluntarily self-discloses the existence of potential misconduct to the DOJ. For a self-disclosure to be “voluntary,” it must: (1) occur before “an imminent threat of disclosure or government investigation;” (2) be made “within a reasonably prompt time after [the company] becom[es] aware of the offense;” and (3) include all relevant facts known to the company about the alleged misconduct.
In his recent speech, Cronan emphasized that companies “should make their initial disclosures sooner rather than later” and “should not wait until completing a significant internal investigation before coming forward.”
Although the DOJ encourages self-disclosure and the FCPA Corporate Enforcement Policy attempts to clarify its benefits, the decision to make such a voluntary self-disclosure is complex, particularly for cross-jurisdictional matters. As noted in our prior alert comparing the US and UK regimes, self-reporting is ultimately both a legal and a business decision, with wide-reaching implications that must be evaluated at an early stage, often before all the facts are known.
For a self-disclosure to qualify as “voluntary” under the new policy, a company must go to the DOJ before there is a threat of public disclosure. As a result, a company may fail to qualify for full credit, even if the DOJ or other regulators are unaware of the conduct, if the DOJ determines that information about the misconduct was about to become public through media reporting or other means. While a company may prefer to have all the facts from a robust internal investigation first, Cronan’s speech confirmed that the DOJ will not guarantee “self-disclosure” credit under such circumstances. On this issue, the DOJ retains significant discretion to determine whether the company has been “reasonably prompt” and whether there was an “imminent threat” of disclosure. Both are obviously subjective factors.
In his speech, Cronan provided examples of what a company should do to best position itself to obtain maximum cooperation credit. For example:
- When making an initial self-disclosure, in addition to summarizing the facts and the investigative steps being taken, explain who is conducting the investigation (e.g., external counsel, internal employees, other consultants) and who is overseeing the investigation (e.g., audit committee, general counsel);
- Describe the steps taken to preserve and collect relevant evidence (including from electronic devices);
- Provide a list of interviewees (both completed and planned) and individuals who know about the investigation, including third parties; and
- Identify any types of information that the company is unable to share with the DOJ because of privilege, data privacy, blocking statutes, or other reasons.
Cronan also reiterated that cooperation typically requires providing the DOJ with a consistent flow of information, including disclosures of significant information as it is uncovered.
Once again, understanding how to manage the DOJ’s expectations (which may be different from regulators in other relevant jurisdictions) is critical. Satisfying the criteria for credit under the Corporate Enforcement Policy is not a matter of checking off a series of boxes. Striking the right balance between performing sufficient due diligence to confirm the accuracy of information and keeping the DOJ fully informed of significant information on a real-time basis is critical to ensuring maximum cooperation credit.
Reiterating prior DOJ policy statements about discouraging the “piling on” of duplicative penalties from multiple regulators for the same conduct, Cronan also discussed the DOJ’s goal of “[p]ursuing fair and equitable outcomes … [by] working toward a resolution that avoids punishment that exceeds what is necessary to rectify the harm and deter future violations, particularly when a company faces a combination of criminal penalties along with civil or foreign penalties.” Cronan emphasized that the DOJ is actively working with other domestic and foreign regulators to ensure that companies do not face duplicative penalties and that any monetary fine, restitution or disgorgement is commensurate with the alleged misconduct.
If a company becomes the focus of a multi-jurisdictional investigation, it should utilize a global, coordinated strategy to manage the investigations across jurisdictions and require that any external counsel or consultants implement a similar strategy. By doing so, a company may be able to minimize its total liability.
Cronan’s speech also addressed the DOJ’s recent memorandum updating its considerations regarding when to seek the imposition of a corporate monitor when resolving an investigation (the “Memorandum”).
The Memorandum notes that prior DOJ statements set forth two broad considerations to guide prosecutors as to whether a monitor is appropriate: (1) the potential benefits that employing a monitor may have for the corporation and the public, and (2) the cost of a monitor and its impact on the operations of a corporation. The Memorandum elaborates on those considerations by requiring prosecutors to take into account:
- Whether the underlying misconduct involved the manipulation of books and records or the exploitation of an inadequate compliance program;
- Whether the misconduct was pervasive across the business or approved/facilitated by senior management;
- Whether the corporation has made significant investments in, and improvements to, its compliance programs; and
- Whether any remedial improvements to the corporation’s compliance program have been tested for efficacy.
As Cronan noted, the DOJ shall consider “whether the misconduct took place under different corporate leadership or in a compliance environment that no longer exists, and whether the changes in leadership and the corporate culture adequately safeguard against a recurrence of the misconduct.” Other considerations include the remedial measures put in place (e.g., the termination of certain business relationships and practices related to the misconduct) and the unique risks and compliance challenges for the particular jurisdiction(s) and industry in which the company operates. Finally, prosecutors must consider the costs associated with a corporate monitor—not only the projected monetary costs, but also whether the proposed scope of a monitorship imposes undue burdens on the corporation’s business.
When a monitor is warranted, the Memorandum requires the DOJ to appropriately tailor the scope of the monitorship to address the specific issues and concerns that created the need for the monitor in the first instance. Cronan specifically noted that the imposition of a monitor is not meant to be “punitive” but rather to reduce the chances of future misconduct.
The DOJ’s recent pronouncements on the issue of corporate monitors reinforce the importance of having both an effective compliance program and the agility to promptly remediate if potential misconduct is uncovered – including taking any necessary personnel actions. Although a company cannot predict whether or when a government investigation may occur, conducting regular risk assessments and ensuring that the company’s compliance program is tailored to the company’s compliance risk profile are necessary first steps. The existence of a demonstrably robust program can be a critical factor in minimizing the fallout should a government investigation occur.
 Id. at 2.
 Memorandum at 2.