Aligning your compliance program with the new DOJ guidance on corporate criminal enforcement: 3 takeaways and 4 practical steps
In a recent speech, Deputy Attorney General (DAG) Lisa Monaco unveiled the Department of Justice’s top priorities for corporate criminal enforcement. The speech corresponded with the release of a memorandum (which has popularly been dubbed the Monaco Memo) revising the DOJ’s Corporate Criminal Enforcement Policies.
The Monaco Memo details a shift in DOJ’s enforcement priorities and further emphasizes the DOJ’s focus on individual accountability. The specificity of the DOJ’s guidance provides General Counsels and Chief Compliance Officers with an opportunity to educate key stakeholders on the value of greater investment in a company’s compliance program.
Here are three key takeaways from the guidance and four practical ways to align compliance programs to the recent DOJ guidance.
Three key takeaways from the Monaco Memo
In her speech, DAG Monaco highlighted several priority areas. Each of these priority areas is directly relevant to compliance program design and operation.
These priority areas fall into three broad categories: individual accountability, enhanced cooperation and self-disclosure, and continued remediation and enhancement.
1. Individual accountability
A predominant theme of DAG Monaco’s remarks and the Monaco Memo is the importance of individual accountability. In her September remarks, DAG Monaco emphasized individual accountability as the Department’s “number one priority,” stating that the DOJ would “hold those who break the law accountable, regardless of their position, status, or seniority.” This focus on individual accountability permeates throughout the DOJ’s recent guidance and influences many of the DOJ’s recommendations.
While the focus on individual accountability is not new, the Monaco Memo highlighted specific ways the DOJ expects companies to hold the individuals responsible for their misconduct. The DOJ expects companies to implement policies and procedures that ensure that the company can hold individuals financially accountable for their criminal misconduct – and reward those who promote compliance within the organization. This includes building compensation systems which “reward compliance-promoting behavior” while containing clawback policies which withdraw compensation from individuals found to have engaged in criminal misconduct.
2. Cooperation and self-disclosure
Intertwined with the DOJ’s focus on individual accountability is an increased emphasis on corporate cooperation and self-disclosure. The Monaco Memo emphasizes that “[c]ompanies seeking cooperation credit ultimately bear the burden of ensuring that documents are produced in a timely manner to prosecutors” and that companies should, therefore, prioritize the production of evidence “relevant for assessing individual culpability.” As DAG Monaco emphasized, prosecutors are encouraged to “move faster” and directed to complete investigations into individuals-and seek any warranted individual criminal charges - prior to or simultaneously with the entry of a resolution against the corporation.”
As a result, the DOJ expects companies to move quickly to identify those responsible, disclose those individuals to the DOJ, and produce all underlying evidence against the individual, in addition to evidence supporting the broader company misconduct, as soon as possible if the company hopes to obtain a favorable resolution.
When discovering hot documents or new evidence, a company’s first instinct, DAG Monaco instructed, should be to notify prosecutors. “Undue or intentional delay” in producing evidence, including where a company uses foreign data privacy laws or other statutes to shield production, may result in the DOJ reducing or even denying cooperation credit.
Additionally, the DOJ will expand existing Voluntary Self-Disclosure (VSD) programs to the entire Department. All Department components who prosecute corporate crime will be instructed to ensure they have formal, documented policies that detail how they intend to incentivize VSDs and outline clear expectations surrounding what constitutes self-disclosure.
DAG Monaco emphasized that VSDs have been successful in the DOJ’s antitrust, criminal, and national security divisions, and that expanding these programs will create predictability when corporations self-disclose. When a company (1) voluntarily self-discloses; (2) fully cooperates; (3) timely and appropriately remediates;, and (4) “demonstrates that it has implemented and tested an effective compliance program” the Monaco Memo states that the DOJ will not only reduce corporate penalties but will also recommend against appointing an independent monitor.
It remains to be seen how the DOJ’s focus on expediency will influence corporate settlements and independent monitor use moving forward.
2. Corporate recidivism and remediation
The final takeaway from DAG Monaco’s remarks is her clarification on how the DOJ considers a company’s prior misconduct. DAG Monaco announced that the DOJ will shift how it evaluates a corporation’s history of misconduct, contextualizing prior instances. The DOJ will give more weight to prior misconduct that (i) resulted in criminal resolution; (ii) involved the same personnel or management as the current misconduct; (iii) occurred less than ten years (for criminal investigations) or five years (for civil investigations) before the conduct currently under review; and/or (iv) shared the same root cause as the current misconduct.
The Monaco Memo provides key context to guidance the DOJ issued a year ago. In an October 21, 2021 ABA event speech, DAG Monaco announced that the DOJ’s review would consider a company’s “whole criminal, civil and regulatory record,”; she observed that a “record of misconduct speaks directly to a company’s overall commitment to compliance programs and the appropriate culture to disincentivize criminal activity.” As we previously covered, the 2021 ABA speech marked a potentially major shift in corporate enforcement, especially for companies in highly regulated industries.
The DOJ’s updated guidance clarifies that the primary focus of a company’s misconduct history is an examination of what caused the conduct and what the company did to correct it. Specifically, the Monaco Memo instructs prosecutors to “assess the adequacy and effectiveness of the corporation's compliance program at two points in time: (1) the time of the offense and (2) the time of a charging decision.”
This position is consistent with the DOJ’s Evaluation of Corporate Compliance Program, which notes “that the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense.” Rather, the ability of a company to identify misconduct and strengthen controls in response is evidence of strong corporate controls. Demonstrating the ability to identify and correct non-compliance activities and a lack of correlation between past and present misconduct will be critical in mitigating potential penalties and avoiding an independent monitor.
Four practical ways to respond
Here are four areas that compliance leaders may want to prioritize when responding to the new DOJ Guidance.
1. Educate senior executives and the board on the value of a strong compliance program
First and foremost, companies need to continue investing in and strengthening their compliance programs. The DOJ’s past and current guidance provides companies with a roadmap as to how the DOJ evaluates compliance programs and the controls the DOJ expects companies to implement. The ability to identify the root cause of non-compliant behavior and implement controls to prevent similar misconduct is crucial to mitigating potential penalties in the future. This is especially true for companies with a history of compliance issues.
One way that companies have educated their stakeholders is to use the DOJ’s guidance as a monitoring tool. Companies should consider examining their current controls using the questions and criteria in the relevant DOJ guidance and identify how the company would answer the DOJ’s questions. Using this approach can help compliance leaders identify gaps and make strategic, targeted investments in their compliance programs.
Regardless of how it’s done, compliance leaders should stress the benefits of greater investment in their company’s compliance controls. As DAG Monaco warned, the failure to invest today will very likely result in significant penalties down the road.
2. Reexamine your company’s investigation and escalation policies
Compliance leaders need to reexamine their company’s investigation and escalation policies to ensure that the company is equipped to expediently evaluate the need for self-disclosure and to address potential individual culpability early in investigations. The DOJ’s recent guidance stresses that time is of the essence and may be the difference between a company receiving full, partial, or no cooperation credit.
However, there is an inherent tension between speed and accuracy. It is important to both the company and its employees that the individuals identified to the DOJ are, in fact, responsible for the misconduct at issue. The best way to ensure orderly internal communications and processes in the face of an investigation is to have well thought out investigation and escalation protocols.
The need for early disclosures can cause significant hurdles for companies that are not prepared. A few areas that compliance leaders can look to strengthen their policies may include:
- Enact clear data collection protocols that ensure quick collection and preservation of documents involving individuals identified in misconduct
- Given the heightened focus on individual accountability, incorporate clear Upjohn warnings at the start of employee investigation interviews and create contemporaneous documentation that such warnings were in fact provided
- Create clear reporting lines to the board and key stakeholders to evaluate allegations against senior leadership and executives and
- Implement clear reporting protocols that promptly escalate allegations and findings of misconduct to the General Counsel and/or Chief Compliance Officer to evaluate whether self-disclosure to the DOJ is necessary.
The DOJ’s focus on expediency will place new pressures on companies moving forward. It is imperative that your company develop a system that ensures information is escalated to the relevant stakeholders quickly and accurately to allow the company time to make quick and wise disclosure decisions.
3. Partner with HR on revising compensation programs and performance evaluations
Compliance leaders need to begin a dialogue with their colleagues in Human Resources to find ways to strengthen compliance through compensation initiatives and performance metrics. The DOJ has made clear that it expects companies to claw back bonuses and other compensation given to individuals who are found to have engaged in criminal misconduct. This may require revisions to corporate compensation policies and/or employee contracts, including clear guidelines for what is necessary to trigger a clawback.
Economic retribution, however, is not the only option. Compliance leaders should discuss ways to implement compliance metrics into an employee’s key performance indices (KPIs) to ensure that compliance is an integral part of an employee’s career advancement. Compliance leaders should be on the lookout for future DOJ guidance on recommended compliance KPIs and incentives to reward corporations that employ clawback policies or similar measures. This guidance is expected to be released soon.
4. Implement controls on use of personal devices and third-party messaging platforms
While the DOJ has traditionally provided general guidance and recommendations on how a company should design its compliance program, the DOJ’s recent guidance is explicitly clear – all compliance programs must have a personal devices policy and controls surrounding the use of third-party messaging platforms for company business.
As the Monaco Memo explained, “[t]he ubiquity of personal smartphones, tablets, laptops, and other devices poses significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation.” The use of third-party applications designed with anonymity and auto-delete functions for company business have come under increased scrutiny of federal regulators in recent months, particularly failures to properly monitor employee use of WhatsApp and other ephemeral messaging platforms.
As these applications are increasingly being used to enable low-cost, quick and secure communications by business professionals around the globe, the need for policies that permit companies to preserve, collect and review all non-privileged communications and data related to the company’s business – wherever the professionals may reside – is especially critical. The Monaco Memo underscores that companies that want to qualify for full cooperation credit need to collect and provide evidence of individual misconduct to the DOJ quickly. In order to meet this expectation, companies must implement policies that “ensure that [they] will be able to collect and provide to the government all non-privileged responsive documents relevant to the investigation” including text messages, chats, or other information stored on mobile phones, tablets, or any other devices potentially used by employees for company business. The implementation of strong personal devices and third-party messaging policies will be key in demonstrating the adequacy and effectiveness of the corporation's compliance program.
The Monaco Memo provides General Counsels and Chief Compliance Officers with a unique opportunity to educate key stakeholders on the value of investing in compliance. Taking certain practical steps now may help your company mitigate risk, reduce the odds of significant penalties for misconduct, and, of course, avoid missteps entirely.
Find out more about the Monaco Memo and its implications for your company by contacting any of the authors.