DOJ Announces Revisions to Corporate Compliance Guidance

The Criminal Division is on the front lines of the Justice Department’s efforts to hold culpable individuals and companies accountable for corporate crime. We also develop innovative policies both to encourage companies to be good corporate citizens and to enhance the department’s corporate enforcement work. Today, I plan to talk about how these efforts support a key aspect of our mission — to prevent and deter corporate crime by incentivizing corporations to invest in robust compliance programs and report misconduct when it occurs. Companies are the first line of defense against corporate crime. And compliance professionals are charged with holding the line on compliance and good corporate culture. We know how important it is for compliance programs to be robust and well-resourced and for compliance officers and their staff to be empowered.

That is why we are transparent about how we evaluate compliance programs and what we believe makes a compliance program successful. It’s why our corporate enforcement policies are available on our website. It’s why — in every corporate resolution — we describe the company’s cooperation and remediation and how we evaluated it. And it’s why each of our resolutions requires companies to commit to forward-looking compliance obligations designed to address the misconduct and improve the compliance program.

I’d like to begin with our Evaluation of Corporate Compliance Programs, or ECCP. I’m sure many of you are familiar with it — it is an invaluable resource for companies. And it is the roadmap Criminal Division prosecutors use to evaluate a company’s compliance program, including the questions prosecutors will ask as they assess a compliance program in determining how to resolve a criminal investigation.

Because when we prosecute corporate crime, we ask not just what happened but why it happened and what the company has done to prevent misconduct from recurring. A critical component of our corporate resolutions involves an assessment of the corporation’s compliance program, at both the time of the misconduct and the time of resolution.

Just as we expect corporations to continuously review and update their compliance programs to account for emerging risk factors, we regularly evaluate our policies and enforcement tools, including the ECCP, to account for changing circumstances and new risks.

I’m pleased to announce today that we have updated our ECCP to address some of these emerging risks. Our updated ECCP, which is available on our website, includes critical additions in three main areas.

First, in March, Deputy Attorney General Lisa Monaco announced that prosecutors will consider how companies mitigate the risk of misusing artificial intelligence and directed the Criminal Division to include an assessment of disruptive technology risks — including AI — in the ECCP. Today, I’m unveiling the results. Our updated ECCP includes an evaluation of how companies are assessing and managing risk related to the use of new technology such as artificial intelligence both in their business and in their compliance programs.

Under the ECCP, prosecutors will consider the technology that a company and its employees use to conduct business, whether the company has conducted a risk assessment of the use of that technology, and whether the company has taken appropriate steps to mitigate any risk associated with the use of that technology. For example, prosecutors will consider whether the company is vulnerable to criminal schemes enabled by new technology, such as false approvals and documentation generated by AI. If so, we will consider whether compliance controls and tools are in place to identify and mitigate those risks, such as tools to confirm the accuracy or reliability of data used by the business. We also want to know whether the company is monitoring and testing its technology to evaluate if it is functioning as intended and consistent with the company’s code of conduct.

Second, following the recent announcement of our whistleblower awards program, the ECCP now includes questions designed to evaluate whether companies are encouraging employees to speak up and report misconduct or whether companies employ practices that chill reporting. Our prosecutors will closely consider the company’s commitment to whistleblower protection and anti-retaliation by assessing policies and training, as well as treatment of employees who report misconduct. We will evaluate whether companies ensure that individuals who suspect misconduct know how to report it and feel comfortable doing so including by showing that there is no tolerance for retaliation.

Third, under the updated ECCP, our prosecutors will assess whether a compliance program has appropriate access to data, including to assess its own effectiveness. We have added questions about whether compliance personnel have adequate access to relevant data sources and the assets, resources, and technology that are available to compliance and risk management personnel. As part of this assessment, we will also consider whether companies are putting the same resources and technology into gathering and leveraging data for compliance purposes that they are using in their business.

We have also updated the ECCP to expand upon an important concept — that companies should be learning lessons from both the company’s own prior misconduct and from issues at other companies to update their compliance programs and train employees.

Next, I want to give you an update on two Criminal Division pilot programs: our Compensation Incentives and Clawbacks Pilot Program and our Corporate Whistleblower Awards Pilot Program.

In March 2023, we announced a three-year compensation clawback pilot program. We are now halfway through the pilot period and can report some observations.

The program has two parts. First, each of our corporate resolutions now requires that the company include criteria related to compliance in its compensation and bonus system. In short, we are asking companies to provide clear metrics both to reward compliance-promoting behavior and to deter misconduct. We included similar language in some corporate resolutions before we launched the pilot program, but it is now required in every Criminal Division resolution. Since the program’s launch, we have included this requirement in nine corporate resolutions.

Let me pause on that for a second. As a result of corporate cases brought by the Criminal Division, nine companies across five industries are upping their game in using their compensation systems to promote compliance. These companies — whether their core business is tech, finance, crypto, manufacturing, or energy — are considering how to align compensation not just with the company’s financial performance, but with conducting business in an ethical manner. And they are setting the tone for others in the marketplace.

Early indications are that these innovations are changing corporate behavior. For example, one company under agreement with the Criminal Division required consideration of adherence to compliance standards and reporting of misconduct in its annual reviews. As a result of these efforts, and a company-wide messaging campaign, the company is seeing more reports of potential compliance issues.

We have also seen many companies incorporating into their compensation systems performance reviews that include an assessment of how employees demonstrate the company’s core values. For example, one company incorporated a performance review metric that measured employees across categories including individual and team performance, goal accomplishment, and demonstration of core values. Ratings on these metrics factored into both compensation and promotion decisions. We are asking companies to continuously evaluate the real-world effectiveness of such incentives, share that feedback with us, and adjust their compensation metrics.

Companies that make compliance a critical factor in determining compensation are sending the message to employees and management that engaging in ethical behavior is critical to success in business. These companies are fostering strong cultures of compliance and promoting leaders who demonstrate ethical values.

Turning to the second part of the pilot program, we provide a fine reduction to companies that recoup or withhold compensation from culpable employees and others who had supervisory authority over the employees engaged in the misconduct and knew of, or were willfully blind to, the misconduct. Companies that take advantage of this aspect of the pilot program will receive a fine reduction equal to the amount of the withheld compensation. This is also something we look at when we consider a company’s remediation. Because taking steps to hold individuals financially accountable is a critical way a company can send a strong message to employees that it is committed to compliance.

To date, two companies have received fine reductions under the pilot program, both in Foreign Corrupt Practices Act (FCPA) cases. Albemarle proactively implemented procedures to freeze future bonuses for those suspected of misconduct, who directly oversaw employees engaged in the misconduct, or who were aware of red flags but failed to prevent the misconduct. They were rewarded with a reduction in their criminal monetary penalty equal to the amount of the bonuses that were withheld. Albemarle was also awarded a 45% reduction from the low end of the applicable penalty range — the highest percentage reduction to date — in light of its substantial cooperation and significant remediation.

SAP also withheld compensation from culpable employees and defended the decision through litigation. These actions sent a clear message to other SAP employees — and employees of companies everywhere — that misconduct will have individual financial consequences. As a result, SAP not only received a fine reduction equal to the amount of withheld compensation. This was also an important aspect of the company’s remediation that supported our decision to award a 40% fine reduction.

By holding culpable individuals financially accountable — along with those who were in a position to report or stop the misconduct — companies send a clear message that there will be consequences for those who do not stand against misconduct.

We also have another critical new tool to harness financial incentives in connection with our corporate enforcement work: our Corporate Whistleblower Awards Pilot Program, or CWA. The program has been up and running for only a few weeks, but we are already receiving good tips.

Whistleblower programs are effective. Programs at other agencies have received thousands of tips, paid out hundreds of millions of dollars in awards, and resulted in holding culpable actors accountable for misconduct. But as successful as those programs are, they do not cover the full range of white collar and corporate crime that the department prosecutes. The CWA seeks to fill those gaps. Our program covers four priority areas of white collar enforcement that are not covered by an existing whistleblower program: abuses of the financial system by financial institutions and insiders; foreign corruption and bribery schemes; domestic corruption; and health care schemes targeting private insurers. And if a whistleblower has information about misconduct that is not covered by an existing whistleblower program but does not fall within one of these four categories, we want to hear from them.

We designed our whistleblower program to encourage internal reporting and to incentivize companies to invest in strong internal reporting structures. A whistleblower who makes an internal report at their company will be eligible for an award if they report to the department within 120 days of their internal report. And critically, making an internal report before coming forward to the department is a factor that will increase the amount of a potential whistleblower award.

And companies that receive internal reports also have a powerful incentive to come forward to the department. We understand that in considering whether to make a voluntary self-disclosure, companies assess not only the benefits of self-reporting, but also the risk that the department will learn about the misconduct from other sources, like whistleblowers. We expect that the CWA will alter that calculus. That’s why, alongside our whistleblower program, we announced an amendment to our Corporate Enforcement and Voluntary Self-Disclosure Policy, or CEP. Under that amendment, where a company receives an internal whistleblower report and then reports the misconduct to the department within 120 days, and before the department reaches out to the company, it will be eligible for the greatest benefit under the CEP — a presumption of a declination — so long as it fully cooperates and remediates. This is a significant benefit to companies and a departure from our usual approach, because a company can qualify for a presumption of a declination even if the whistleblower comes to the department first.

Our whistleblower program also reflects how seriously the department takes the risks that whistleblowers face — and the ways that compliance departments can mitigate those risks. First, we will protect whistleblowers’ identities to the fullest extent allowable under law. Second, we will closely monitor any actions a company takes against whistleblowers who try to do the right thing by raising an alarm within the company. As described in our updated ECCP, compliance departments have an important role here — to implement robust policies that protect employees who report misconduct and to train employees on those policies. Under our updated ECCP, we will closely evaluate a company’s commitment to whistleblower protection and anti-retaliation, as well as whether a company has fostered a “speak up” culture. But if a company retaliates against a whistleblower, we will take all appropriate steps: the company will lose credit for cooperation and remediation and could face sentencing enhancements — and even prosecution — for obstruction of justice.

We have received tips from over 100 individuals to date, with more coming in every day. If those employees are also reporting internally, which we have incentivized them to do, we hope companies are taking their reports seriously and plan to come forward to the department.

Let me now turn to some of our corporate resolutions and the lessons compliance officers can take from them. In our corporate resolutions, we recognize and reward different levels of cooperation and remediation.

Let me start with the greatest benefit we provide: a declination under our CEP. To qualify for a CEP declination, a company must not only voluntarily self-disclose the conduct. It must also fully cooperate and timely and appropriately remediate.

Last month, we announced a declination under the CEP in an investigation involving the Boston Consulting Group (BCG). In addition to timely and voluntarily disclosing evidence of a potential FCPA violation to the department, BCG’s full and proactive cooperation and timely and appropriate remediation resulted in the department’s decision to decline prosecution.

BCG’s remediation included termination of the personnel involved in the misconduct and compensation-based penalties that included requiring certain BCG partners to give up their equity in the company, denying financial benefits normally accorded to BCG employees who leave the firm, and withholding bonuses.

A company that does not voluntarily self-disclose misconduct can receive up to a 50% reduction of its fine depending on the extent of its cooperation and remediation. Every company starts at zero and must earn any benefit. From our resolutions, you can identify factors that set strong cooperation and remediation apart from less impressive efforts. Let me touch on a couple of examples.

SAP, which I mentioned earlier, earned a 40% reduction in the criminal penalty — near the maximum reduction available for companies that do not voluntarily self-disclose. The company immediately began to cooperate after news reports publicized some of the allegations and took steps to proactively cooperate that made a real difference in our ability to advance our independent investigation. The company also moved quickly to remediate the misconduct, including by promptly disciplining responsible employees, reducing its risk profile, and expanding the data analytics capabilities of its compliance program.

On the other end of the spectrum, Trafigura received a reduction of only 10% for cooperation and remediation. Trafigura’s cooperation credit was limited because the company failed to preserve and produce certain evidence in a timely manner during early phases of the investigation. And the company’s early posture in resolution negotiations caused significant delays and required our prosecutors to expend substantial efforts and resources to develop additional evidence. The company’s remediation was also mixed. While Trafigura improved its compliance program, it was slow to discipline certain employees.

Through our resolutions, we seek to highlight what a company did, or failed to do, to get more or less credit for cooperation and remediation. We do that to provide transparency and to guide other companies, and to make clear that we provide the greatest benefits to companies that act with urgency and truly go above and beyond.

Rest assured, we take notice of companies that make the right choices and invest in and support effective compliance programs. When compliance officers have the necessary resources to do their jobs — and a seat at the table in the boardroom to have their voices heard — companies are better situated to prevent, detect, and stay ahead of misconduct when it occurs. And companies that do those things — and move quickly to cooperate and remediate when misconduct occurs — will put themselves in the best position to achieve the most favorable outcomes when dealing with the Criminal Division’s investigations and prosecutions.

From our whistleblower and clawback pilot programs to our updated ECCP, we are using more tools than ever before to identify corporate misconduct and to encourage companies to be good corporate citizens. Companies that step up and own up to misconduct send a powerful message about the importance of a robust compliance program and an ethical corporate culture.

I hope today you’ll take this message back to your companies: now is the time to make the necessary compliance investments to help prevent, detect, and remediate misconduct. And when you uncover misconduct: call us before we call you.

These remarks were delivered on September 23, 2024, by Principal Deputy Assistant U.S. Attorney General Nicole M. Argentieri at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute in Grapevine, Texas.

Leave a Reply

Your email address will not be published. Required fields are marked *