In our memo last year, we acknowledged that it was close to impossible to predict the likely impact that the newly elected Trump administration would have on white-collar and regulatory enforcement. (White Collar and Regulatory Enforcement: What to Expect in 2017) Instead, we set out a list of initiatives we urged the new administration to consider, including clarifying standards for when cooperation credit would be given, reducing the use of monitors, and giving greater weight to a company’s pre-existing compliance program when exercising prosecutorial discretion, among other suggestions. While the DOJ under Attorney General Jeff Sessions has, for example, taken some steps toward clarifying the applicable standards for cooperation and increasing incentives to disclose misconduct in the FCPA area, few other policy choices or shifts in approach have been articulated or implemented.
Strikingly, after a full year, it remains very hard to say anything definitive about likely developments in the white collar arena under the current administration. One reason for this is the slow pace at which President Trump is filling key positions at Main Justice and in individual United States Attorney’s Offices across the country. However, based upon the public statements of AG Sessions and other senior DOJ personnel, and the statistics available, it does appear that the enforcement pendulum may be swinging back from the aggressive stance of the Obama era toward somewhat fewer enforcement actions being brought overall, and with generally lower fine levels. There are of course some caveats: while the level of federal enforcement activity may be on the wane, there are strong signs that many state attorneys general are eager to pick up the slack. Moreover, the federal signals that are being sent suggest that there will be a greater focus on the prosecution of individuals, which may ultimately result in an uptick in the number of cases over time. At the SEC, all indications are that while enforcement priorities may evolve, there is no basis to expect less enforcement.
Notwithstanding the lack of tea leaves to read concerning the future direction of white-collar and regulatory enforcement, it remains a safe bet that companies will continue to face substantial and familiar risks in this area from both federal and state prosecutors and regulators, as well as international law-enforcement authorities which, as we discuss below, have become more active in the FCPA arena and other areas. In the sections that follow, we provide our views on what companies should anticipate in 2018 concerning the following key topics:
As we reported last year, it was difficult to reliably predict whether DOJ, under new leadership, would maintain its focus on white collar crime as an enforcement priority. The new administration’s first year has provided only a modicum of clarity. Most notably, there remain several vacancies in senior leadership positions at Main Justice, including the Assistant Attorney General for the Criminal Division, and more than half of the U.S. Attorney positions around the country have not been filled with Senate-confirmed leaders. In the Criminal Division, six of the sixteen sections are led by acting chiefs. Moreover, several of the most prominent U.S. Attorney’s Offices, such as the Southern and Eastern Districts of New York, the District of New Jersey and the Central District of California, are operating with interim U.S. Attorneys. Until these positions are filled, and new leaders have an opportunity to establish themselves, it will be difficult to determine DOJ’s overall approach to white-collar enforcement with any assurance.
Public comments by senior DOJ officials and other actions, however, provide some reason to believe that what seemed like a yearly uptick in enforcement activity over the past decade or so may be hitting a plateau, if not ticking downward. For example, the Attorney General has not publicly indicated that white-collar crime enforcement is a priority. In the speeches he has given this past year, the Attorney General has discussed many DOJ priorities—e.g., gang violence, immigration, the opioid crisis, enforcement of federal laws criminalizing marijuana use—but has not included corporate crime on that list.
The Deputy Attorney General, the number-two DOJ official, has made several public comments on corporate crime, and those appear to reflect some subtle changes in policy from prior administrations. Specifically, the DAG unveiled this fall a plan to review and reconsider existing DOJ policies, primarily by withdrawing previously issued memos, including the Yates Memo, the McNulty Memo, and the Morford Memo. Each of these memos provided guidance to federal prosecutors relating to corporate investigations and prosecutions on issues such as whether to bring criminal charges, whether to impose a corporate monitor, and whether a company has earned maximum cooperation credit. To replace what the DAG described as “management by memo,” DOJ intends to incorporate all guidance to federal prosecutors in the U.S. Attorneys’ Manual. While the DAG has not specified the changes to be implemented, he has indicated that they will be consistent with certain themes: a focus on individual accountability, an effort to avoid using the threat of criminal action to extract civil payments, and a desire to create policies that reflect input from parties both inside and outside of DOJ. These anticipated changes all point to the possibility of greater balance in corporate criminal enforcement.
Two other recent developments suggest DOJ may be backing away from Obama-era initiatives aimed at increasing corporate criminal enforcement. First, in October 2017, the DAG announced that DOJ is considering significant changes to the Financial Fraud Enforcement Task Force. That task force was created in the wake of the 2008-09 financial crisis to focus on financial fraud, primarily related to mortgages. DOJ is now reviewing the mandate of the task force to determine “whether it continues to meet current needs.” Second, in June 2017, DOJ Fraud Section’s first-ever compliance counsel resigned. The position was designed to provide expertise within the Fraud Section on compliance issues in connection with negotiating corporate resolutions, including, importantly, whether existing corporate compliance programs and actions warranted “credit” in connection with charging decisions and otherwise in resolving an investigation. To date, no one has been hired to fill that position and it is unclear whether DOJ plans to do so.
Statistics seem to support the impression that white collar enforcement is leveling off. In 2017, DOJ entered into a total of 22 NPAs and DPAs—the fewest since 2009. While there are many reasons why the number of corporate resolutions may fluctuate from year to year, particularly given the lengthy period of time that corporate investigations often take before a resolution is reached, as a general matter this lower number of corporate resolutions is consistent with the goals DOJ has articulated: an increased focus on prosecuting individuals and increased opportunities to obtain corporate declinations.
Entering the second year under this administration, many legacy investigations have either been resolved or will be resolved shortly. Thus, in the near future, we expect to have specific examples of how DOJ under its current leadership will handle corporate criminal investigations. Based on public statements so far, it appears that companies may have opportunities to avoid some of the crushing corporate penalties and harsh corporate dispositions that have been imposed in recent years. Those opportunities, however, will only be available to companies that act in accordance with DOJ guidance. Accordingly, it will be critical for companies to continue to implement and maintain robust compliance programs and, when problems are identified, to engage in prompt self-reporting where appropriate, and to conduct careful and thorough investigations to identify individual wrongdoers.
On January 11, 2018, Robert Jackson and Hester Peirce were sworn in as SEC commissioners, following confirmation by the Senate. This action brought the Commission to its full strength of five members for the first time since 2015. With a fully constituted Commission and Chairman Jay Clayton now approaching nine months in office, the impact of the new administration and of turnover in senior staff roles should become more visible as 2018 unfolds. As we explain below, this is a time of both change and continuity at the SEC.
The SEC brought 868 total enforcement actions in fiscal 2016; that number declined to 754 in fiscal 2017. Some commentators fastened on this statistic and concluded that enforcement efforts have slowed under the new administration. This commentary suffered from a failure to look behind the numbers. Most significantly, the 2016 total included 84 actions brought as part of the Municipalities Continuing Disclosure Cooperation (MCDC) Initiative, a voluntary self-reporting program. Accordingly, the SEC brought 784 stand-alone enforcement actions not involving the MCDC program in 2016. Compared to the 754 cases brought in 2017, the year-to-year decline was only 3.8%—not a significant drop, particularly in light of the amount of turnover in senior positions. At the same time, it is true that defense practitioners observed an apparent slowing in the progress of certain investigations during 2017, though again this was more likely attributable to the disruption arising from the change of administrations and staff departures, rather than any policy determination to bring fewer cases.
While we see no reason to expect a lighter touch on enforcement under the new administration, some changes in emphasis have already become evident. Chairman Clayton has highlighted a special concern over fraud perpetrated upon “Main Street” investors, and the new Co-Directors of Enforcement, Stephanie Avakian and Steven Peikin, have also discussed this programmatic emphasis in their own speeches. These words have been matched with action, as the Commission has now formed a Retail Strategy Task Force to marshal investigative efforts toward forms of misconduct that harm individual investors, such as accounting fraud in public companies, unsuitable broker-dealer recommendations, “pump and dump” frauds and Ponzi schemes. These types of cases have, of course, always been core components of the Commission’s enforcement program. Now, the public commentary from the leaders of the agency and the creation of a task force mean that the staff will make greater efforts to find cases in these areas, supervisors will direct more resources to these cases and investigations that address these problems will move faster. The Chairman and senior staff have also spoken frequently about an emphasis on cyber issues and they have formed a specialized unit focused on that area.
There are also encouraging indications that the new administration may rein in some aspects of the recent criminalization of the SEC enforcement process, an adjustment that we have advocated for in the past. See our 2016 Year-End Memo. In particular, public statements by senior officials suggest that we will see a move away from the recent innovation of requiring certain companies to admit the SEC’s allegations in settlements. As we observed, this policy selectively imposed collateral consequences on affected companies without providing any meaningful enhancement to the enforcement program. Last year, the Enforcement Division’s annual report highlighted the cases in which the Commission obtained admissions. This year’s report, by contrast, did not mention the practice.
Chairman Clayton and the senior enforcement staff have also promised a continuing focus on individual responsibility. This emphasis is a carryover from the previous administration. Indeed, though pursuing individuals has been a major theme in the SEC’s public statements in the post-financial crisis period, it was never a new idea. SEC investigations have focused on individual responsibility for decades. In the overheated atmosphere in the years that followed the financial crisis, however, the SEC was sometimes willing to push the envelope a bit too far in order to charge individuals. This tendency led to a number of losses at trial in cases against individuals, as well as some face-saving settlements in litigated cases that were insufficiently supported by the evidence. At its best, historically, the SEC enforcement program has aspired to be “tough, but fair.” Fairness sometimes entails a politically unpopular decision not to charge an individual in a high-profile case. It is to be hoped that the new leadership will pursue its enforcement goals while also giving due weight to fairness considerations.
In 2017, corporations across the globe continued to experience an onslaught of cyberattacks and an ever-expanding range of data security risks, simultaneously rendering companies both cyber crime victims and potential subjects of regulatory scrutiny as to the sufficiency of their cybersecurity programs. Ransomware attacks, botnet threats, e-mail “spoofing,” and targeted phishing campaigns, launched by adversaries ranging from sophisticated nation-state actors to teenage thrill-seekers, kept information security teams scrambling to respond. The WannaCry and NotPetya malware variants wreaked havoc on businesses worldwide, while the revelation of high-profile cyber intrusions at Equifax, HBO, Uber, and even the SEC itself exposed the reality that all organizations’ systems are at risk. With bad actors increasingly using machine learning and artificial intelligence to spawn malware and taking advantage of vulnerabilities in the “Internet of Things,” these threats show no signs of abating in 2018. To borrow the words of SEC Chairman Clayton, “even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face.” As a result, companies of every profile would be wise to invest in cyber resilience, as well as prevention, so as to be prepared to identify and recover from intrusions as swiftly and effectively as possible.
The high-profile cyber incidents of 2017 underscored the importance of a layered cybersecurity strategy that employs cutting-edge capabilities without losing sight of basic, but critical, proficiencies. Though it used stolen NSA hacking tools as a springboard, the WannaCry malware primarily capitalized on known Windows vulnerabilities for which Microsoft had previously released patches; similarly, the Equifax attackers gained access to critically sensitive data through a web application vulnerability for which a patch had been issued months before. Meanwhile, companies with reliable and timely patching procedures escaped these attacks unscathed. Companies should take care that deployment of new cybersecurity defensive strategies and technologies does not distract from the basic “blocking and tackling” of patch installation, operating systems upgrades, and employee training, as these remain critical first-line defenses.
Developments in 2017 also exposed the inadequacy of some incident response plans and notification strategies. Organizations experiencing severe cyber incidents drew criticism for their initial muted responses to cyber incidents, with questions raised about post-incident communication and disclosure strategies, remediation efforts, and securities trading by insiders. Even the SEC came under fire for the timing of its September 2017 revelation that its EDGAR electronic filing system had been breached more than a year before.
In the face of uncertainty concerning proper post-incident notification and disclosure procedures, the SEC turned both regulatory and enforcement attention to these matters. In speeches in late 2017, Chairman Clayton indicated that he hoped to see “better disclosure” of cyber risks, and SEC leaders promised an update of the Commission’s 2011 Disclosure Guidance on Cybersecurity. Though it has yet to bring an enforcement action for a cyber-related disclosure failure, the SEC signaled a move toward a more aggressive approach, publicly alluding to the possibility of disclosure-based enforcement actions amid reports that it was engaged in ongoing investigative efforts in this area. And in the wake of controversial post-breach trading by Equifax executives, SEC leadership pointedly advised companies to reexamine their trading policies. In 2018, companies should re-examine and drill their incident response plans, paying extra attention to internal incident elevation and affected party and governmental notification procedures, and also re-assess insider trading and cyber risk and incident disclosure policies.
Internationally, industry regulators continued to increase their attention to cybersecurity. European regulators sent out periodic reminders regarding the EU’s looming General Data Protection Regulation (GDPR), which takes effect in May 2018 and sweeps more broadly than some non-EU-based companies may realize. Given the GDPR’s stringent data handling requirements, its extraterritorial reach, and its severe penalties for noncompliance, companies with even a minimal European nexus should engage in GDPR self-assessment and implement steps for compliance as necessary and appropriate. At the state level in the U.S., attorneys general continue to investigate companies in the aftermath of significant data breaches, and regulators like New York’s Department of Financial Services have adopted increasingly prescriptive and onerous regulations. By contrast, the Trump administration has so far taken a more hands-off approach to cybersecurity regulation, with telecommunications deregulation at the FCC, a halt to the rulemaking process launched in 2016 by federal banking regulators, and an Executive Order that focused primarily on the security of government networks.
By now, most companies have recognized the enterprise-level nature of cyber risks and have invested accordingly in the basic building blocks of a cybersecurity program. But in a financial industry analysis that provides valuable lessons for all companies, the SEC found gaps between companies’ cybersecurity ambitions and their day-to-day execution, and highlighted six elements of the most successful programs: (1) systems for maintaining inventories of data, information and vendors; (2) detailed cybersecurity policies with a focus on execution; (3) data and system testing procedures with prescriptive schedules; (4) strong controls over data and system access; (5) mandatory training programs with procedures to ensure consistent implementation; and (6) engaged senior management. Careful attention to these six elements, along with efforts to ensure that cybersecurity policies and procedures are uniformly implemented, testing is systematically performed, response plans are regularly exercised, and notification and disclosure policies are re-examined, should enable companies to mitigate cyber risks, limit potential liability, and further enhance their cybersecurity programs. Evaluation of these elements and the company’s related efforts will also enable boards of directors to execute their critically important risk oversight function in the area of cybersecurity.
Consumer Financial Protection Bureau
The Consumer Financial Protection Bureau is in the process of ratcheting back its enforcement activities under the current administration. In December, Mick Mulvaney, currently the Director of the Office of Management and Budget, was named Acting Director of the CFPB. While he was in Congress, Mr. Mulvaney opposed the creation of the CFPB and has been highly critical of the agency. Since his appointment, he has halted hiring, frozen all new rule-making, ordered a review of active investigations and lawsuits, and reopened the CFPB’s recently adopted rule targeting payday lending. Earlier this week, Mulvaney announced the issuance of a “call for evidence” to determine whether the CFPB is fulfilling its intended function, including an evaluation of the Bureau’s use of Civil Investigative Demands.
The CFPB was established by Dodd-Frank as an independent bureau within the Federal Reserve System, at least in part for the purpose of maintaining its budgetary independence from Congress. Mulvaney has called the agency “one of the most offensive concepts . . . in a representative government,” and recently proclaimed that “[t]his place will be different, under my leadership and whoever follows me.” The CFPB’s complete demise has been predicted by many commentators—but that would require congressional action and hence it is difficult to gauge the likelihood that this will in fact occur. What is certain, however, is that under Acting Director Mulvaney, its overall level of enforcement activity will drop dramatically.
Similarly, it is anticipated that enforcement activity by the Federal Reserve and the Office of the Comptroller of the Currency, which had become commonplace during the Obama administration in the aftermath of the financial crisis, will decrease as well.
State Attorneys General Trends
In the aftermath of the 2016 presidential election, many state attorneys general made clear their intention to fill any regulatory void that emerged under the new administration. Throughout 2017, many state AGs, not surprisingly from traditionally active offices led by Democrats, such as California, New York, and Massachusetts, demonstrated their intention to follow through on their public statements. The result of this increase in state AG activity is that companies may continue to face a similar level of regulatory scrutiny as in past years, even if not from federal regulators.
State AGs have been initiating investigations in areas that had traditionally fallen within the province of federal law enforcement. Examples include investigations of pharmaceutical opioids, immigration, net neutrality, and environmental regulations. A coalition of 41 state AGs announced this past fall that they were issuing subpoenas and document demands to leading pharmaceutical companies seeking information about how those companies manufactured, marketed, and distributed prescription opioids. Similarly, attorneys general of 49 states and the District of Columbia reached a settlement with General Motors this fall over allegations that the company concealed safety issues related to defective ignition switches in GM vehicles.
In addition to investigating corporate misconduct, state AGs are banding together to challenge the current administration’s policies in a number of different law-enforcement areas. For example, nearly all Democratic AGs have joined to challenge the new administration’s move to end the Deferred Action for Childhood Arrivals initiative. And a coalition of 15 state AGs, led by New York Attorney General Eric T. Schneiderman, have filed a lawsuit against the Environmental Protection Agency, for allegedly ignoring Clean Air Act requirements.
State AG-led investigations can be particularly burdensome on companies for a variety of reasons. First, the fact that an issue has traditionally been the subject only of federal regulation—for instance, the adequacy of disclosures under federal securities law—does not prevent a state AG from pursuing that issue. Second, since state AGs often work together, large companies may be confronted by multi-state investigations pursued in concert by multiple states’ attorneys general, as highlighted by the investigations described above. While the potential monetary and punitive consequences of one state’s investigation can be a significant challenge, a company’s exposure is exacerbated when dealing with multiple states’ laws, forums and enforcement interests. Finally, state and local political considerations can often be a factor in these kinds of cases, which can sometimes make their management and resolution more complex and challenging.
The Trump presidency prompted intense speculation concerning the future of Foreign Corrupt Practices Act enforcement. Prior to taking office, both President Trump and incoming SEC Chairman Clayton had openly questioned whether FCPA enforcement impedes American businesses overseas. One year later, continuity has largely prevailed over change. In a series of speeches in early 2017, DOJ and SEC leaders committed to continued vigorous FCPA enforcement, and DOJ subsequently announced significant prosecutions of individuals and high-penalty resolutions with corporations, many of which were the product of close international law enforcement coordination. In November, the DAG announced a new FCPA Corporate Enforcement Policy that made permanent the core principles of the Obama administration DOJ’s FCPA Pilot Program.
But close analysis does suggest some important, if subtle, shifts at work. The new FCPA Corporate Enforcement Policy, discussed in more detail below, increased incentives for corporations to disclose misconduct, and DOJ leadership has emphasized that its goal is to enhance corporate compliance, rather than maximize penalties. As noted above, DOJ’s use of corporate DPAs and NPAs dipped significantly in 2017, to its lowest level in recent years, while the number of FCPA enforcement actions against public companies dropped significantly after the Trump administration took office. Whether these shifts constitute a change in enforcement approach or a temporary blip as a new leadership team hits its stride remains to be seen.
DOJ’s announcement of its FCPA Corporate Enforcement Policy constituted the most significant policy development in this area in 2017. With the Pilot Program having triggered a significant uptick in corporate FCPA self-disclosures, DOJ doubled down—not only by codifying the Program in the U.S. Attorneys’ Manual, but by increasing self-disclosure incentives through a new presumption that DOJ will altogether decline prosecution against companies that voluntarily self-disclose FCPA misconduct, make proactive efforts to cooperate, adopt appropriate remediation, and disgorge any ill-gotten profits. While the new Policy includes stringent requirements for corporate cooperation and remediation and stops short of guaranteeing a declination for self-disclosing companies, it does represent a significant step toward greater enforcement transparency and more concrete and predictable benefits for corporate self-disclosure and cooperation.
Developments on the enforcement side reflect the continuation of two notable trends: (1) declinations for companies that self-disclosed FCPA misconduct, and (2) the expansion of international law enforcement coordination. On the declination side of the ledger, DOJ has now publicly declined to prosecute seven self-reporting companies since the Pilot Program was launched. The declination relating to the Linde Group deserves special attention: there, the company discovered and self-disclosed a bribery scheme taking place within an acquired subsidiary; the resulting declination highlights the importance of careful pre-acquisition FCPA due diligence and thoughtful post-acquisition integration, as well as a potential path for acquiring companies that discover misconduct at acquired entities.
On the enforcement side, the level of international cooperation among anti-corruption law enforcement agencies—long promoted by DOJ—appears to have gathered real momentum. In countries from Europe to South America to Asia, new anti-corruption laws are taking effect, and enforcement actions are being pursued. Indeed, the most significant FCPA resolutions of 2017 involved coordinated international investigations and resolutions, with multiple countries sharing the criminal penalty proceeds:
- Just last month, Keppel Offshore & Marine Ltd (KOM), a Singapore-based company that operates shipyards and designs, builds and repairs mobile offshore rigs and vessels, agreed to a $422 million penalty, while its U.S. subsidiary pleaded guilty to conspiracy to violate the FCPA’s anti-bribery provisions, stemming from the payment of millions of dollars in bribes to Brazilian officials over the course of 13 years; notably, the resolution resolved charges in three countries: the U.S., Brazil and Singapore split the penalties, with Brazil receiving half of the $422 million, and the U.S. and Singapore receiving one-quarter each.
- In September 2017, Telia Company AB, a Swedish telecommunications company, entered into a global anti-bribery resolution involving a total penalty of $965 million and a guilty plea by its Uzbek subsidiary, Coscom LLC, to resolve charges relating to a scheme to pay over $330 million in bribes to an Uzbek official; again, the resolution resolved charges in multiple countries, with penalties paid by Telia and Coscom to U.S., Dutch and Swedish authorities.
- Back in January 2017, Rolls-Royce plc, the U.K. power systems manufacturer and distributor, resolved investigations by DOJ, U.K. and Brazilian authorities of bribery activity in six countries in South America, Asia and Africa by agreeing to pay a total of more than $800 million in penalties, divided amongst the three countries; Rolls-Royce entered into Deferred Prosecution Agreements (DPAs) with both DOJ and the U.K.’s Serious Fraud Office, only the third-ever DPA deployed in the U.K.
- DOJ charged 18 individuals with violating the FCPA in 2017, including a KOM attorney, three Rolls-Royce executives, and a retired U.S. Army Colonel; meanwhile, over 20 individuals pleaded guilty or were convicted of FCPA-related charges in 2017, including a Macau citizen who was convicted after trial of FCPA violations for bribing U.N. officials.
With DOJ apparently remaining committed to FCPA enforcement, and additional countries entering the anti-corruption fray, companies doing business internationally must continue to pay very close attention to FCPA and related anti-corruption risk. The design, implementation, and regular update of strong anti-corruption compliance programs remain the most important steps that companies can take to control that risk. Through such programs, companies will be well positioned to prevent corrupt conduct before it occurs or, at a minimum, to take timely remedial action and thus mitigate the consequences if rogue employees violate established company policy.
At a time when the administration is still shaping its priorities and the enforcement environment is evolving, we continue to believe that for all well-managed companies, “good compliance is good business.” In particular, it is wise and prudent to invest in effective compliance programs and systems—including well-designed policies and procedures, regular training, hotlines to encourage surfacing of problems, prompt responses to problems that do get surfaced, retention of strong audit and compliance personnel, and establishment and maintenance of the proper tone at the top and tone on the ground. Even if one assumes that the current environment may lead to reduced enforcement activity over time, having those policies and systems in place will redound to the benefit of the company if a significant problem were to arise.
This post comes to us from Wachtell, Lipton, Rosen & Katz. It is based on their memorandum, “White Collar and Regulatory Enforcement: What to Expect in 2018,” dated January 19, 2018.