As part of a recent series of announcements regarding updates to its corporate compliance policies, the Department of Justice (DOJ) announced significant revisions to its evaluation criteria for corporate compliance programs, centered on compensation incentives and clawbacks as well as the use of personal devices and communication platforms in corporate settings. These announcements are part of DOJ’s ongoing efforts to promote transparency and predictability in its corporate expectations, incentivize compliance, and hold individual wrongdoers personally accountable.
The revisions to the DOJ Criminal Division’s Evaluation of Corporate Compliance Programs (ECCP) guidance for federal prosecutors are the latest in a series of updates to DOJ’s corporate crime enforcement policies announced in September 2022 by Deputy Attorney General Lisa Monaco (the Monaco Memo). They follow DOJ’s recent announcement of the nationwide Voluntary Corporate Self-Disclosure Policy seeking to incentivize timely reporting of corporate misconduct. DOJ detailed its new guidance in speeches by Deputy Attorney General Monaco and Assistant Attorney General Kenneth Polite at the American Bar Association’s Annual National Institute on White Collar Crime on March 2 and 3, 2023.
Corporate Compensation and Pilot Program
The ECCP provides that a “hallmark of effective implementation of a compliance program is the establishment of incentives for compliance and disincentives for non-compliance.” Deputy Attorney General Monaco noted that the purpose of the changes to the ECCP is to “shift the burden away from uninvolved shareholders and onto those more directly responsible.” Monaco stated that companies “should ensure that executives and employees are personally invested in promoting compliance” and noted that “nothing grabs attention or demands personal investment” like company personnel having “skin in the game, through direct and tangible financial incentives.”
As such, the revised ECCP directs DOJ prosecutors considering the design and effectiveness of a compliance program to assess:
- “[W]hether the company has clear consequence management procedures (procedures to identify, investigate, discipline and remediate violations of law, regulation, or policy) in place, enforces them consistently across the organization, and ensures that the procedures are commensurate with the violations.”
- “[T]he extent to which the company’s communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct.”
Examples of the criteria prosecutors are to assess include whether a company has internally publicized disciplinary actions so as to deter future compliance violations, and whether a company is tracking data relating to disciplinary actions to measure the effectiveness of the investigation and consequence management functions.
In addition to incorporating these criteria into the ECCP, DOJ is implementing a Pilot Program Regarding Compensation Incentives and Clawbacks (Pilot Program). The three-year Pilot Program, which takes effect on March 15, 2023, and applies to all corporate resolutions involving the DOJ Criminal Division, has two components:
- First, every corporate resolution going forward will require companies to develop compliance-promoting criteria in their compensation and bonus systems. Appropriate criteria may include but are not limited to “(1) a prohibition on bonuses for employees who do not satisfy compliance performance requirements; (2) disciplinary measures for employees who violate applicable law” (including those who supervised the employees and/or business units and were aware of or willfully blind to the conduct); and “(3) incentives for employees who demonstrate full commitment to compliance processes.”
- Second, the Pilot Program allows for fine reductions for companies that seek to claw back compensation from “culpable employees and others who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct.” If a company fully cooperates, timely and appropriately remediates, and demonstrates that it has implemented a recoupment program, DOJ will allow a reduction of a corporate fine in the amount of 100% of any compensation recouped during the period of the resolution. To the extent that a company is not successful in its good-faith efforts to recoup any such compensation, the Pilot Program grants prosecutors the discretion to allow up to a 25% reduction in the amount of the compensation the company attempted to claw back.
The ECCP guidance and Pilot Program reflect DOJ’s continued emphasis on driving individual accountability in corporate criminal enforcement. Specifically, these efforts reward companies that not only timely disclose misconduct and cooperate with government investigations but also provide financial incentives for compliant behavior, as well as to companies that punish wrongdoers through the elimination or prohibition of bonuses and/or the clawback of ill-gotten compensation.
Personal Devices and Messaging Applications
The revised ECCP also includes new guidance for federal prosecutors regarding companies’ use of personal devices and communications platforms and messaging applications, including those that offer ephemeral messaging. The September 2022 Monaco Memo initially identified the widespread use of personal devices and the rise in the utilization of third-party messaging platforms as posing “significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation.” As such, the Monaco Memo directed the DOJ Criminal Division to study “best corporate practices” regarding the use of personal devices and third-party messaging applications for purposes of incorporating this guidance into the ECCP.
The revisions to the ECCP announced by Assistant Attorney General Polite on March 3, 2023, recognize that “[m]essaging applications have become ubiquitous in many markets and offer important platforms for companies to achieve growth and facilitate communication” and direct prosecutors to “consider a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications” in evaluating policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct. The ECCP is clear that it expects companies to tailor their approach to the use of personal devices and communications and messaging applications to their specific business needs and individualized risk profiles. In the context of an investigation, the ECCP requires DOJ prosecutors to evaluate the following factors relating to data and communication policies and preservation:
- Communication Channels: DOJ will inquire as to what communication channels the company uses and allows to be used to conduct business, and what preservation steps are in place to manage and preserve information contained within each communication channel, as well as the rationale for the company’s approach in determining which communication channels and settings are allowed.
- Policies and Procedures: Prosecutors will seek information on what policies and procedures are in place to govern the preservation of, and access to, corporate data and communications stored on personal devices in companies that have “bring your own device” programs.
- Risk Management: The government will also inquire as to the consequences in place for employees who refuse to allow the company to access company communications on personal devices, and the limitations on the company’s ability to conduct internal investigations and/or evaluate its compliance program based on the use of ephemeral messaging applications.
The revised ECCP further directs prosecutors to “consider whether and how” policies and procedures relating to personal devices, communication platforms, and messaging applications have been communicated to company employees, and “whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.”
- Since Fall 2022, DOJ has made several policy announcements regarding its developing expectations with respect to corporate compliance, all intended to urge companies to update and enhance compliance policies, disclose misconduct, and punish individual wrongdoing.
- The use of compensation to reward compliance behavior and to deter and punish misconduct is not new to DOJ, though the revised ECCP and the new Pilot Program formalize DOJ’s guidance on how it will evaluate the effectiveness of a compliance program in the context of an investigation. Companies across industries should assess their compensation plans to consider whether compliance is sufficiently considered and incentivized. Similarly, companies should assess whether their compensation structures effectively punish and deter noncompliance.
- DOJ has been explicit about its expectations that companies have the ability to preserve and produce corporate data and communications, regardless of the communication channel or platform used, and that it will no longer accept at face value a company’s representation that it cannot access data on personal devices or third-party messaging platforms. With the revisions to the ECCP regarding mobile devices and messaging in mind, companies should reassess their policies relating to the use of personal devices and communication channels as well as their enforcement of deviations from those policies.
James D. GattaPartner
Anne E. RailtonPartner
Courtney D. OrazioPartner