U.S. DOJ publishes revisions to corporate criminal enforcement policy

The U.S. Department of Justice ("DoJ") has announced a tightened corporate criminal enforcement policy: "a combination of carrots and sticks"

On 15 September 2022, Deputy U.S. Attorney General Lisa O. Monaco announced a strengthened corporate criminal enforcement policy. The DoJ has clarified its position with regard to five core areas: (1) individual accountability, (2) corporate recidivism, (3) self-reporting and cooperation, (4) monitorships, and (5) corporate culture and compliance programs.

Key takeaways:

1. The DoJ emphasizes self-disclosure, cooperation and remediation as “the clearest path” for companies to avoid a guilty plea or an indictment ("carrot"). However, in exchange the company must cooperate "fully". With these changes, the DoJ has considerably tightened the requirements for "full" cooperation.
2. If the company does not cooperate or does not cooperate fully, there is a considerable increased risk that it will only be possible to reach a settlement that includes an admission of guilt (plea agreement), high fines, and the appointment of a compliance monitor ("stick").
3. As part of the "full" cooperation, the DoJ will now require that particularly relevant information be passed on to the DoJ "promptly" as soon as it is discovered. Delays, even if due to (further) internal investigations, can jeopardize the cooperation credit. 
4. Going forward, the DoJ intends to settle criminal proceedings against companies only if there is a concrete plan for prosecuting the individuals involved. This means that companies should cooperate with DoJ investigations against individuals (i.e. employees) if they are seeking a settlement for the company. In practice, this is likely to jeopardize employees’ cooperation in a company’s own internal investigations. In an attempt to allay such concerns, the DoJ says that the company "only" has to provide the facts and not a (criminal legal) assessment. In practice, however, this subtle distinction often makes no difference to those implicated.
5. The DoJ recognizes that data privacy laws can make it difficult to hand over information located outside of the U.S. To obtain cooperation credit under these circumstances, the company needs to substantiate the restrictions imposed by data privacy laws, use all available legal bases for processing the information, and identify "reasonable alternatives" for providing the requested information.
6. A history of misconduct by the company remains relevant for the DoJ, especially if the misconduct stemmed from the same cause or happened under the same management. If one company takes over another, the acquirer must immediately address any compliance issues within the target company. 
7. The DoJ expects companies to implement internal processes that govern the use of personal devices and messenger services for business purposes. The cooperation credit is contingent on the company being able to collect and hand over relevant business information from private devices as well – in other words, these actions must also be permissible under data protection law.
8. Compliance can also be managed through employee remuneration. Going forward, the DoJ will specifically look at whether there are clawback clauses in contracts and whether companies specifically reward compliance – not only on paper, but also in practice. 

Assessment

In October 2021, Deputy Attorney General Lisa Monaco established a multidisciplinary working group (the Corporate Crime Advisory Group) and tasked it with a top-to-bottom review of the DoJ’s criminal corporate enforcement efforts. The now-published, tightened corporate criminal enforcement policy stems from the recommendations of the working group and fits into the overall strategy of the DoJ in the Biden Administration. Deputy Attorney General Monaco summarized it as follows in her speech on 15 September 2022:

"In short, we’re empowering companies to do the right thing – and empowering our prosecutors to hold accountable those that don’t."

1. On the one hand, this means that the DoJ is further incentivizing preventive compliance measures within companies. The aim is to give the compliance and legal departments the tools to make a "business case" for responsible, lawful behavior. This also fits in with the DoJ's policy – announced in the spring – of considering in the future whether a company's chief executive officer (“CEO”) and chief compliance officer (“CCO”) must declare in writing, as part of a resolution, that the compliance system is adequately designed and effective for detecting and preventing violations. In the recent past, Glencore plc committed to making such a declaration in one of its plea agreements. Before the CEO and CCO declare that this is the case, it is advisable to conduct a certification or review beforehand to confirm that the compliance management system ("CMS") is indeed appropriately designed and effective. Particularly with regard to the effectiveness of the CMS, it may also be necessary to "test" the processes and controls.
2. On the other hand, companies have to cooperate more quickly and extensively in order to achieve a favorable resolution – through enhanced cooperation, the DoJ will to be able to prosecute individual persons more quickly and effectively. Without voluntary, immediate, and complete self-disclosure, cooperation and restitution, there is a risk of considerable penalties. 

Conclusion 

The elements of the tightened corporate criminal enforcement policy are not fundamentally new, but they are profound. The strategy is already clearly recognizable and impacts companies that have business relations with the U.S. — especially in the case of a possible investigation, but also from a prevention standpoint, e.g. with regard to internal compliance measures. As a rule, there are good arguments for companies to cooperate with the DoJ. However, whether a company cooperates "fully," in the sense of the new Corporate Criminal Enforcement Policy, or defends itself otherwise remains a discretionary decision. In addition to the threat of sanctions, fines and reputational risks, other concerns that can play a significant role in the respective defense strategy include, in particular, procurement law risks, private damages claims, and securities lawsuits.