Following up on her watershed 2021 memo, Deputy Attorney General Lisa Monaco’s latest missive highlights a pair of issues that companies need to begin preparing for now if they are to avoid major FCPA repercussions down the line. John E. Davis, member and practice lead of Miller & Chevalier’s FCPA and international anti-corruption practice in Washington, D.C., digs into the issues.
Recent guidance by the U.S. Department of Justice (DOJ) regarding corporate criminal investigations will require attention and potentially significant compliance program upgrades by companies to ensure they remain eligible for favorable consideration in the event of a DOJ investigation. Among other areas, companies should start to review their oversight of employee communications using personal devices and ephemeral messaging applications such as WhatsApp and their executive compensation systems, focusing on incentives and discipline related to compliance behaviors.
On Sept. 15, Deputy Attorney General Lisa Monaco issued a new memorandum on “Further Revisions to Corporate Criminal Enforcement Policies” that will apply across all of the DOJ’s components, including the Fraud Section, which enforces the U.S. Foreign Corrupt Practices Act (FCPA). This new memorandum follows Monaco’s Oct. 28, 2021, memorandum on “initial revisions” to those policies and is the result of an evaluation process by the DOJ’s corporate crime advisory group.
The new Monaco memorandum announces new guidance for DOJ prosecutors in several key areas of interest to companies potentially facing criminal investigations, including:
- The prioritization of building cases against culpable individuals in parallel with related corporate investigations and clarification on whether corporate self-disclosures are “timely” as they relate to conduct by employees.
- Discussion of how to evaluate a company’s history of prior corporate misconduct in making decisions about resolving current investigations.
- New commentary on how to evaluate a company’s corporate compliance program, including new specific discussion of the role of executive compensation structures (incentives and disciplinary mechanisms).
- Expansion of prior DOJ guidance on corporate policies related to use of personal devices and third-party applications (such as WhatsApp and other chat applications), focused on the need for corporate policies to ensure that information from these sources can be provided to the DOJ in investigations.
- New discussion on the imposition, selection and management of independent compliance monitors, including the need for active DOJ engagement throughout the term of any monitorship
Monaco and Assistant Attorney General for the Criminal Division Kenneth Polite have spoken publicly on the new memorandum, offering additional commentary related to the topics above and other issues. In many instances, the new memorandum extends principles articulated in the previously issued FCPA corporate enforcement policy across the entire DOJ (except for other existing policies, such as those long issued by the Antitrust Division). As such, in the world of FCPA enforcement, the new memorandum is not a game changer, but companies involved in DOJ FCPA inquiries now face multiple new challenges as a result of the new guidance.
Two of the most critical challenges involve employees’ use of personal devices and third-party applications for work communications and the use of employee compensation to discipline and incentivize compliance. The DOJ plans to issue further guidance on both areas in the future, but companies should begin assessing how to manage these issues now.
September saw the announcement of a significant refinement of Department of Justice (DOJ) enforcement policies around FCPA enforcement and corporate compliance programs. Tom Fox, author, podcaster and compliance expert, shares insights from his conversations with several thought leaders in compliance.Read more
Managing company data on personal devices and third-party applications
The new Monaco memo summarizes past DOJ policies on evaluating the effectiveness of corporate compliance programs, including the Criminal Division’s guidance, which was most recently updated in 2020. The discussion reiterates that, in the context of determining an appropriate disposition to an investigation, the DOJ should “assess the adequacy and effectiveness of the corporation’s compliance program at two points in time: (1) the time of the offense; and (2) the time of a charging decision.”
The memorandum also identifies two “additional metrics relevant to prosecutors’ evaluation of a corporation’s compliance program and culture.” One additional metric directs DOJ prosecutors to “consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms [such as WhatsApp or, perhaps more challenging, the Chinese WeChat] to ensure that business-related electronic data and communications are preserved (emphasis added).” The memorandum notes further that “[a]s a general rule, all corporations with robust compliance programs should have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications, should provide clear training to employees about such policies, and should enforce such policies when violations are identified.”
Preservation of such data was also the focus of the SEC’s recent penalties (totaling close to $2 billion) levied against various financial services institutions for “for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications” per specific recordkeeping requirements under federal securities laws. Much of the penalized activity involved employee use of “text messaging applications on their personal devices” for “off-channel communications” that the companies did not maintain or preserve. While the rules at issue in these settlements are limited to financial services, the DOJ is pushing all companies to preserve similar communications in order to be eligible for full credit for cooperation in any DOJ investigation.
The scope of the new Monaco memorandum’s language is broad, covering data on all personal devices, including phones, tablets, and laptops, that employees use for business communications. Relevant software and applications that fall under this guidance if used for business purposes includes outside ephemeral messaging applications that automatically delete messages after a certain period of time like Snapchat, WeChat or Signal; outside applications that use end-to-end encryption like WhatsApp or Telegram; and outside email programs like Gmail.
The focus on personal devices and third-party applications is not new, as the DOJ’s 2019 revisions to the FCPA corporate enforcement policy emphasize the need to preserve data from “personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications.” Nevertheless, this requirement remains a challenge for companies to implement, especially with regard to non-U.S. applications like WeChat and as other countries’ data privacy and national security regulations continue to develop and apply to data on personal devices.
In recognition of these challenges, the new Monaco memorandum directs the DOJ’s Criminal Division “to further study best corporate practices regarding use of personal devices and third-party messaging platforms and incorporate the product of that effort into the next edition of its Evaluation of Corporate Compliance Programs, so that the department can address these issues thoughtfully and consistently.” That said, companies that wish to benefit from the DOJ guidance are expected to implement controls on the use of personal devices and ephemeral communications before any FCPA matter arises. Companies thus should consider:
- Conducting a reasonable, risk-based, demonstrable assessment of employees’ use of personal devices and ephemeral communications to assess the company’s need for appropriate controls over personal devices and ephemeral messaging platforms that are tailored to a company’s specific operations.
- In light of the assessment’s findings, modifying any existing policies or develop new guidance that clearly instruct employees regarding (1) what types of personal devices (if any) and communication software are permissible to use in connection with business matters and (2) the rules that apply to preserving all such business communications on a timeline consistent with the company’s other document/data preservation requirements.
- Checking those rules for potential issues under relevant data privacy or other applicable data management regimes, such as the EU’s General Data Protection Regulation (GDPR).
- As needed, developing and implementing new training to employees on the rules related to personal devices and third-party applications, focused on preservation requirements.
- Being ready to enforce the rules appropriately across the company.
Incentivizing and disciplining executives using compliance metrics
The second “additional metric” related to corporate compliance programs and cultures focuses on the role of compensation structures — both disciplinary measures and incentives that support compliant behaviors. Such structures, especially on the discipline side, have long been considered a key element of an effective compliance program by the DOJ and SEC, as well as under international standards.
The DOJ’s existing compliance program effectiveness guidance has included questions as to “[h]ow the company incentivize[s] compliance and ethical behavior” and whether “there [have] been specific examples of actions taken (e.g., promotions or awards denied) [or bonuses, cited elsewhere] as a result of compliance and ethics considerations.” The new Monaco memorandum builds on this language by stating that “[p]rosecutors should … consider whether a corporation’ s compensation systems provide affirmative incentives for compliance-promoting behavior.” The memorandum notes that such affirmative incentives could include “the use of compliance metrics and benchmarks in compensation calculations and the use of performance reviews that measure and reward compliance-promoting behavior, both as to the employee and any subordinates whom they supervise.”
As the DOJ is aware, many companies have already deployed these types of incentives, though the details and execution can vary widely based on many factors. The formal addition of this metric will mean that companies that have resisted these types of incentives in the past may want to reconsider such incentives’ potential benefits for managing enforcement risks.
The memorandum also expands on the assessment of disciplinary measures, noting that “prosecutors should examine whether compensation systems are crafted in a way that allows for retroactive discipline, including through the use of [compensation] clawback measures, partial escrowing of compensation, or equivalent arrangements.” Further, the memorandum instructs prosecutors to evaluate whether and how a company has “taken affirmative steps to execute on such agreements and clawback compensation previously paid to current or former executives whose actions or omissions resulted in, or contributed to, the criminal conduct at issue (emphasis added).” In a speech at Global Investigation Review’s GIR Live event on Sept. 20, Principal Associate Deputy Attorney General Marshall Miller discussed the DOJ’s expectations as to clawbacks, stating, “[w]hat we expect now in 2022 is that companies will have robust and regularly deployed clawback programs, [as] [a]ll too often we see companies scramble to dust off and implement dormant policies once they’re in the crosshairs of an investigation.” He also noted that prosecutors would assess whether “the company [is] targeting bonuses to employees and supervisors who set the right tone.”
Other statements by Monaco at the time of her speech indicate that the DOJ’s focus on clawbacks is being coordinated with recent SEC statements regarding increased enforcement of Section 304 of the Sarbanes-Oxley Act, under which the SEC has required CEOs and CFOs to reimburse their companies for certain compensation if the company is required to restate its financials resulting from misconduct.
It is unclear how extensively the DOJ has considered the potential challenges for companies to implement such features as clawbacks in their existing executive compensation systems (especially as to former executives), given the rules that govern such systems and the market dynamics that drive such compensation at senior levels. Often the money at issue has already been taxed, invested, or spent, and managing the tax consequences can be difficult for both the company and executives.
Perhaps a sign of the awareness of these difficulties is that the new Monaco memorandum directs the Criminal Division to “develop further guidance by the end of  on how to reward corporations that develop and apply compensation clawback policies, including how to shift the burden of corporate financial penalties away from shareholders — who in many cases do not have a role in misconduct — onto those more directly responsible.” In his speech, Polite noted that, during this process, the division will “get inputs” from “experts on executive compensation.”
In the meantime, companies should consider:
- Reviewing company bylaws, articles, and compensation policies to determine the level of existing authority and flexibility for executing clawbacks and related actions.
- Ensuring that current policies, processes, and related training and management messaging make clear that compliance-related lapses by employees can trigger clawbacks or other appropriate financial circumstances.
- Assessing whether existing policies adequately allow for clawbacks or related actions in cases of executives’ failure in supervision or omissions that caused compliance or controls failures.
- Analyzing the state of any compliance-related incentives for employees and managers and determining whether additional financial or other incentives or key performance indicators (KPIs) are appropriate to reinforce a strong compliance culture.