Over the past few months, the Department of Justice (DOJ) has released several new and updated policies as part of its fight against corporate crime and increased focus on corporate compliance.
The latest policies offer critical insight into expected conduct for entities doing business in the current regulatory environment and how they will be evaluated if they engage with regulators. To the extent companies have not already focused on these updates (and their impact on existing compliance policies), it is critical to review the DOJ’s recent guidance on ephemeral messaging, executive compensation clawbacks and crime victims’ rights, and take appropriate action.
On March 3, 2023, the DOJ released its updated Evaluation of Corporate Compliance Programs (“ECCP”), which included new guidance on ephemeral messaging platforms and the use of personal devices for businesses. While DOJ acknowledged the value that ephemeral messaging platforms can offer businesses, it made clear that companies are expected to ensure that business-related electronic data and communications are accessible and amenable to preservation, even as it relates to communications made on personal devices and by third-party agents of the company.
Under this new policy, DOJ expects companies to treat messaging and personal device use as a standard part of their risk assessment process and compliance program.
Corporations with robust compliance programs should:
- Have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications
- Provide clear training to employees about such policies
- Enforce such policies when violations are identified
The DOJ isn’t the only agency focused on this area. Recently, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) launched probes regarding the retention of employee communications made via ephemeral messaging platforms at large financial institutions. Several institutions reached settlements with the SEC and the CFTC totaling US$1.8 billion in civil penalties in late 2022.
The SEC has noted that widespread failure to implement policies prohibiting such inappropriate communications is tantamount to employers’ failures to supervise employees and prevent and detect violations.
Steps To Take Now:
- Collect information to understand how employees are using messaging platforms and personal devices in their organization.
- Conduct assessments to understand the risks posed by such use.
- Implement clear and enforceable policies and controls as applicable to the particular risks of the organization.
- Consider alternative messaging applications that permit preservation of communications while enabling business activities.
- Train employees, including board members, regarding these policies, including expectations for use of messaging platforms and personal devices for business communications.
- Enforce policies with appropriate consequences and discipline for noncompliance.
- Monitor and test controls to identify noncompliance and determine effectiveness, and, if appropriate, take necessary remedial steps.
Ultimately, companies should consult with counsel and take a risk-based approach in developing, implementing and enforcing strong, well-reasoned policies to ensure that relevant business communications and information are preserved and can be produced in the event of an internal inquiry or regulatory investigation. The adage “an ounce of prevention is worth a pound of cure” will likely hold true in this area – preparation in the short term may save significant operational impact, monetary penalties and reputation management issues in the longer term.
Pilot Program – New Compensation Incentives and Clawbacks
In March, Deputy Attorney General Lisa Monaco announced the launch of DOJ’s Compensation Incentives and Clawbacks Pilot Program (Compensation Pilot Program), providing further incentives for corporate compliance, as part of several significant revisions to DOJ’s Corporate Enforcement Policy (CEP).
The Compensation Pilot Program, which went into effect for three years beginning March 15, 2023, applies to companies entering into corporate criminal resolutions with DOJ’s Criminal Division and has two key components – (1) compliance enhancements requiring companies to implement compliance-related criteria in their compensation and bonus system and report to DOJ on the same; and (2) a deferred fine reduction in an amount equivalent to any compensation that is recouped from executives during the period of the resolution.
All companies, both public and private, are impacted by the policy. As with prior DOJ compliance guidance, many companies will look to the Compensation Pilot Program as an indication of DOJ’s expectations of best practice in corporate compliance.
Considering this, companies should strongly consider adopting or amending a clawback policy to allow for the recovery of previously paid compensation in circumstances as contemplated by the Compensation Pilot Program and revised CEP. A company’s right to seek a clawback pursuant to policy should also be incorporated into employment agreements, offer letters and a company’s bonus and incentive plans, to optimize the potential for recovery.
In particular, public companies that have or are implementing clawback policies in light of the Dodd-Frank Wall Street Reform and Consumer Protection Act should consider whether and how to adjust these policies to account for the broader DOJ policy (i.e., whether to incorporate these guidelines into the company’s SEC-mandated clawback policy or adopt a separate policy). It is also important to consider DOJ’s new guidance and brief their compensation committees, executives and other appropriate internal stakeholders about potential expansion of those clawback policies and procedures.
Of course, there are very real, practical challenges for companies in actually enforcing these policies, including state wage and hour law restrictions; foreign employment law protections; and the cost and effort in enforcing clawbacks. Regardless, companies operating in the US should consider what steps they can take to mitigate risk and demonstrate a good faith effort to put parameters in place. Again, consulting with counsel to review, revise and reinforce any current compliance efforts will be an essential first step for every business.
Crime Victims’ Rights and Corporate Settlements
While crime victims’ rights have long been a focus in cases brought by DOJ, the spotlight has recently shifted toward corporate resolutions that address these rights. On March 31, 2023, the revised US Attorney General Guidelines for Victim and Witness Assistance (Guidelines) went into effect.
The revised Guidelines meaningfully expand support for people and entities who are significantly harmed by a crime but still may not meet the statutory definition of “victim” contained in the Crime Victims’ Rights Act (CVRA) (defined as a person “directly and proximately” harmed by the charged conduct).
Additionally, while the Guidelines previously afforded CVRA rights once a defendant was charged, they now require affording those rights “as early in the criminal justice process as is feasible and appropriate, and even “before a charging document is filed.”
What does this mean for business?
These changes will have a significant impact on companies seeking to settle matters under investigation with DOJ, as well as counterparty companies, to potentially seek relief as victims in the resolution.
These changes came about after certain rulings late last year in United States v. Boeing (ND. Tex.). There, the court determined that those who died in the Lion Air Flight 610 crash of October 2018 and the Ethiopian Airlines Flight 302 crash of March 2019 were directly and proximately harmed as a consequence of Boeing’s conspiracy to defraud the United States as set forth in its Deferred Prosecution Agreement (DPA). The court ruled that those who died on those flights were “crime victims” under the CVRA and that family members of the deceased, as representatives of the crime victims, could assert rights under that act, including the right to confer with the government and to be informed in a timely manner as to any plea bargain or DPA. This shift creates a tremendous consideration for any consumer-facing business, whether negotiating a resolution with the government or being considered a potential victim entitled to recovery.
The court’s rulings in Boeing breaks new ground and coincides with the enhanced focus on crime victim engagement by DOJ as announced in October 2022 and that went into effect on March 31, 2023. Given the DOJ’s revised Guidelines, corporations are very wise to take into account the risk of enhanced victim participation in negotiations and potential challenges to resolutions when entering into DPAs or other negotiated settlements with DOJ, as well as to consider their own potential victim status in other corporate resolutions.
Key Takeaway – Review Policies Now
Reviewing your policies now with experienced counsel will save your business time, money, and potential headaches down the road. Put fresh eyes on your policies and procedures with a focus on the most recent DOJ updates. There is enough to keep business and legal leaders up at night – minimize the risk and maximize your sleep.