Written by: Alisa Lewis, CHC, CRISC
On September 15, 2022, Deputy Attorney General Lisa O. Monaco delivered remarks[i] on corporate criminal enforcement and issued a memorandum entitled “Further Revisions to Corporate Enforcement Policies Following Discussions with Corporate Crime Advisory Groups” (the “Memorandum”)[ii]. The remarks and Memorandum are follow-ups to the October 2021 Memorandum from DAG Monaco, “Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies.” They describe department-wide revisions to the DOJ’s existing corporate criminal policies and practices and provides guidance about individual and corporate accountability, independent compliance monitorships, and a commitment to transparency in corporate criminal enforcement.
While I believe compliance officers and compliance professionals should read the Memorandum and remark text in their entirety, there are a few points I found most interesting.
Not only must corporations disclose to the DOJ all relevant, non-privileged facts about individual misconduct, but to receive full cooperation credit in an investigation, the information must be disclosed timely. Corporations must prioritize giving the prosecutors the evidence that is most relevant in determining culpability to the individual. Prosecutors must now take timeliness of producing evidence into consideration with every corporate resolution.
The Memorandum points out that many DOJ components that prosecute criminal violations already have voluntary self-disclosure policies. The Memorandum also directs any DOJ component that does not have a voluntary self-disclosure policy to draft and publicly share it. The voluntary self-disclosure policies must follow several core principles – including not seeking a guilty plea for a corporation that had a voluntary self-disclosure, fully cooperated, and remediated the misconduct in a timely manner and without aggravating factors and not imposing a monitor for cooperating corporations that demonstrate they have an effective compliance program.
Evaluation of a Corporation’s Compliance Program
In addition to the factors the DOJ has included in previous guidance about determining if a compliance program is effective, two more factors or “metrics” were identified in this Memorandum.
The first new factor – To help determine if a corporation has an effective compliance program and compliance and ethics culture, prosecutors are told to consider if corporations have incentive programs in place to promote compliance as well as clawback provisions that allow penalties against those that have been involved in misconduct.
The second new factor – prosecutors should consider if the corporation has implemented effective policies and procedures on the use of personal devices and third-party applications “to ensure that business-related electronic data and communications are preserved.”[iii]
Considering the guidance in DAG Monaco’s remarks and Memorandum, corporations should review their existing policies and procedures related to cooperating in compliance investigations, voluntary self-disclosures, compliance reward systems, and use of personal devices and third-party messaging platforms to ensure they are in line with the updated guidance.
- Investigations policies should require timely provision of documents and information to the DOJ, as well as preventing an undue delay in providing such information.
- Voluntary self-disclosure policies should require the organization to self-disclose when misconduct is discovered. Voluntary self-disclosures can save a corporation hundreds of millions of dollars in fines, penalties, and costs, can avoid reputational harms from pleading guilty, and reduce the risk of collateral consequences like suspension and debarment in relevant industries.
- Compliance programs should include both positive incentives to promote compliance as well as clawbacks or financial penalties for non-compliance. Employees should be aware of the reward system, the system should be monitored to make sure it’s working as designed, and the effects should be monitored to see if the system in place is meeting its intended benefit.
- Compliance policies and procedures should also include the use of personal devices and third-party messaging platforms to ensure business communications are preserved. A policy on personal devices and third-party messaging should take into account not only the guidance from the Memorandum, but also existing corporate security controls and potential privacy concerns.
DAG Monaco stated in the Memorandum that additional guidance will be issued on several topics. It will be interesting to see what the guidance entails.