The war of words regarding who is to blame for exorbitant pre-enforcement action professional fees and expenses continued in recent weeks.
By way of background and as highlighted in this prior post, in April Assistant Attorney General Leslie Caldwell stated – “we do not expect companies to aimlessly boil the ocean.”
Certain FCPA lawyers disputed Caldwell’s assertion – see here and here.
Recently, Assistant AG Caldwell again shot-back stating – as noted in this Wall Street Journal Risk & Compliance post – “That’s not us. That’s the companies” who are responsible for the pre-enforcement action professional fees and expenses.
Staying with the same topic, as noted in this recent Morgan Lewis “Lawflash,” here is what DOJ Fraud Section Chief Andrew Weissmann had to say at a recent event:
“When asked about the rising costs of Foreign Corrupt Practices Act (FCPA) investigations, Mr. Weissmann dismissed the suggestion that high investigative and defense expenses—which have cost some companies nearly half a billion dollars—are a predicate to receiving full cooperation credit. Noting some of the staggering legal fees in the hundreds of millions of dollars, Mr. Weissmann advised the audience that companies do not need to “boil the ocean” when investigating corporate misconduct. Although there may be “historical evidence” of DOJ asking companies to engage in “widespread investigations,” he assured the audience that this “is not the current Department of Justice view.”
Mr. Weissmann described a “real life example” of a multinational company that voluntarily disclosed FCPA misconduct in an unnamed foreign country by a team of individuals who also had responsibilities in three other countries. Because “there was very good reason to think that they would have engaged in the same conduct in those other countries,” Mr. Weissmann said, DOJ expected the company to investigate those countries in order to receive full cooperation credit, and the company complied. Mr. Weissmann noted that the company was neither asked nor expected to expand its investigation to the “Antarctic,” for instance, or high-risk countries (as determined by Transparency International’s Corruption Perceptions Index) where the company operated. As explained by Mr. Weissmann, “If there is an issue in one country and just speculation that the same issues could be happening elsewhere, then we should deal with the issue that is before us and come to a very quick resolution.” Investigations should be “appropriately tailored to the facts at issue,” he said, because both DOJ and the companies it investigates share the same interest in “prompt resolutions.”
As noted in this prior post, prior to becoming DOJ Fraud Section Chief, Weissmann was a vocal critic of various aspects of DOJ FCPA enforcement. Set forth below is what Weissmann wrote in Restoring Balance: Proposed Amendments to the FCPA.
“The current FCPA enforcement environment has been costly to business. Businesses enmeshed in a fullblown FCPA investigation conducted by the U.S. government have and will continue to spend enormous sums on legal fees, forensic accounting, and other investigative costs before they are even confronted with a fine or penalty, which, as noted, can range into the tens or hundreds of millions. In fact, one noteworthy innovation in FCPA enforcement policy has been the effective outsourcing of investigations by the government to the private sector, by having companies suspected of FCPA violations shoulder the cost of uncovering such violations themselves through extensive internal investigations.
From the government’s standpoint, it is the best of both worlds. The costs of investigating FCPA violations are borne by the company and any resulting fines or penalties accrue entirely to the government. For businesses, this arrangement means having to expend significant sums on an investigation based solely on allegations of wrongdoing and, if violations are found, without any guarantee that the business will receive cooperation credit for conducting an investigation.”
Back to Morgan Lewis’s “Lawflash” – here is what it says about other aspects of Weissmann’s recent remarks.
“Mr. Weissmann confirmed DOJ’s commitment to providing more transparency regarding cooperation credit and declinations by including greater factual details in non-prosecution agreements (NPAs) and deferred prosecution agreements (DPAs) and providing “general statistics” about declinations in a series of “anonymized examples.” Currently, because declinations are rarely, if ever, publicly announced, companies and their counsel have limited insight into how and why such determinations are made. That will change, Mr. Weissmann said, with DOJ providing the public with greater transparency about the declinations process and what companies can do to increase their chances of receiving declinations. Likewise, although DOJ’s website already contains some information about DPAs and NPAs, Mr. Weissmann assured the audience that they can expect to see more detail in the future about what exactly happened that resulted in specific dispositions to help companies assess the benefits of full cooperation.”
Finally on the DOJ speech “beat,” Assistant AG Cadlwell recently delivered this speech to a paying audience at Compliance Week.
“[C]orporate accountability. How corporations should be holding themselves accountable by designing compliance programs that don’t just look good on paper but actually work. Compliance programs that are designed to protect the company’s reputation, customers, counterparties and the public, as well as ensuring compliance with the law.”
In pertinent part, Caldwell stated:
“A corporation’s internal compliance policies and practices, and its compliance professionals, are the first lines of defense against fraud, abuse and corruption. As all of you know, there is no “one size fits all” compliance program. Rather, effective compliance programs are those that are tailored to the unique needs, risks and structure of each business or industry. While a corporate compliance program must, by definition, address regulatory risk and the risk of potential violations of law, a strong compliance program will not stop there. A strong program also will aim to deter employee misconduct, whether or not that misconduct poses obvious regulatory risk.
While companies have for years appropriately adopted a “risk-based” approach to compliance, we have seen that corporations all too often misdirect their focus to the wrong type of risk. We have repeatedly seen corporations target the risk of regulatory or law enforcement exposure of institutional and employee misconduct, rather than the risk of the misconduct itself. The result: compliance programs are too often behind the curve, effectively guarding against yesterday’s corporate problem but failing to identify and prevent tomorrow’s scandals.
In designing compliance programs, companies would be wise to examine all of their lines of business – including those not subject to regulation – and determine where specific risks are and how best to control or mitigate them. It is also critical that compliance programs take into account the operational realities and risks attendant to the particular company’s business, and are designed to prevent and detect particular types of misconduct likely to occur in a particular line of business.
For example, to comply with the Foreign Corrupt Practices Act (FCPA), businesses that tend to be exposed to corruption must employ different internal controls than businesses that have less exposure to corruption.
Too often we have heard companies say that a particular course of criminal conduct took them by surprise, when a hard look at the business practices would have identified the risk. And, far too often, we have heard companies exclaim in defense that everyone else is doing it – that others in the industry are engaged in the same misconduct. But as you all know, an industry-wide compliance failure is not a defense to knowing and willful criminal activity.
With this principle that compliance programs should be proactive, and not merely reactive in mind, there are some general hallmarks of effective compliance programs that I’d like to share with you today.
- A company must ensure that its senior leaders provide strong, explicit and visible support for its corporate compliance policies.Corporate management must enforce compliance policies, not tacitly encourage or pressure employees to engage in misconduct to achieve business objectives.
- We look not just at the written policies, but to other messages otherwise conveyed to employees, including through in-person meetings, emails, telephone calls, incentives/bonuses, etc.; and will make a determination regarding whether the company meaningfully stressed compliance or, when faced with a conflict between compliance and profits, encouraged employees to choose profits.
- Senior executives should be responsible for the implementation and oversight of compliance.Those executives should have authority to report directly to independent monitoring bodies – for example, internal auditors or the board of directors.
- A company’s policies should be clear and in writing and should easily be understood by employees.But having written policies – even those that appear specific and comprehensive “on paper” – is not enough.
- Compliance teams need adequate funding and access to necessary resources.And they must have an appropriate stature within the company.
- A company should have an effective process – with sufficient resources – for investigating and documenting allegations of violations.
- A company periodically should review its compliance policies and practices to keep it up to date with evolving risks and circumstances, including when the company merges with or acquires another company.In particular, if a U.S.-based entity merges with, acquires or is acquired by a foreign entity, all compliance policies should be reviewed and revised accordingly.
- A company should have an effective system for confidential, internal reporting of compliance violations.
- A company should implement mechanisms designed to enforce its policies, including incentivizing compliance and disciplining violations.
- A company should sensitize third parties with which it interacts (for example, vendors, agents or consultants) to the company’s expectation that its partners are compliant.This means more than including boilerplate language in a contract.It means taking action – including termination of a business relationship – if a partner demonstrates a lack of respect for laws and policies.
Corporations also must ensure compliance with the laws of all the countries in which they operate. We appreciate that this may present a major compliance challenge, as international corporations often must bridge cultural, as well as geographic, divides. But such challenges do not justify non-compliance.
Overall, our message is simple: we expect corporate entities to take compliance risk as seriously as they take other business-related risks.
When a compliance program works and a company suspects or discovers potential criminal wrongdoing, a company would be wise to conduct a thorough internal investigation. While we in the Criminal Division will not tell a company how it should conduct an investigation, we evaluate the quality of a company’s internal investigation, both through our own investigation and in considering what if any charges to bring against a company. In that regard, we have seen some “best practices” with regard to internal investigations.
Good internal investigations uncover the facts. They don’t promote corporate talking points or whitewash the truth. The investigation should be focused on rooting out the relevant facts, identifying and interviewing the knowledgeable actors and capturing and preserving relevant documents and other evidence. The investigation should seek to identify responsible individuals, even if those individuals hold senior positions at the company.
It is reasonable to take resources – time and money – into account. If an internal investigation unearths criminal conduct, the inquiry should be thorough enough to identify the relevant facts, players, documents and other evidence, and to get a sense of the pervasiveness of the misconduct. But, we do not believe that it is necessary or productive for a company to employ its internal investigators to look under every rock and pebble – particularly when a company has offices or personnel around the globe that do not appear to be involved in the misconduct at issue. In fact, doing so will cost companies much more in the end, both in fees but also because it ultimately will delay our investigation and delay resolution and closure for the company.
For example, if a multi-national corporation discovers an FCPA violation in one country, and has no basis to suspect that the misconduct is occurring elsewhere, the Criminal Division would not expect that the internal investigation would extend beyond the country in which the violation was discovered. By contrast, if the known offenders operated in multiple countries, we would expect that the internal investigation would extend into those locations as well.
Once your company learns of potential criminal conduct and confirms it through a reasonable internal investigation, the company then must choose whether to disclose the conduct to the government, and whether to cooperate in the government’s investigation. These are the company’s choices, and very few companies have a legal obligation to disclose criminal misconduct to the department. Likewise, there is no obligation to cooperate beyond compliance with lawful process. But if a company chooses to cooperate with the government in its investigation – particularly at an early stage – the company likely will receive significant credit for such efforts when the government is contemplating what prosecutorial action to take.
In conducting an investigation, determining whether to bring charges and negotiating plea or other agreements, federal prosecutors take into account, among other factors, the corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents. Prosecutors also consider the availability of alternative or supplemental remedies such as civil or regulatory enforcement action.
To receive cooperation credit, a company must do more than comply with subpoenas or other compulsory process. Companies must provide a full accounting of the known facts about the conduct or events under review, and affirmatively must identify responsible individuals (and provide evidence supporting their culpability), including corporate executives and officers – and they must do so in a timely way. A company’s cooperation may be particularly helpful where the criminal conduct continued over an extended period of time, and the knowledgeable or culpable individuals and/or the relevant documents are dispersed or located abroad. Under these circumstances, cooperation includes helping to circumvent barriers to the investigation by making knowledgeable personnel available for interviews or testimony, and by producing documents and other evidence that otherwise may not be readily accessible to the government.
We recognize that some foreign data privacy laws may limit or prohibit the disclosure of certain types of data or information. Over the years, the Criminal Division has developed an understanding of certain oft-cited data privacy laws, and we will challenge what we perceive to be unfounded reliance on these laws to justify withholding requested information. Companies should avoid this by giving careful consideration to the government’s requests for information, refraining from making broad “knee jerk” claims that large categories of information are protected from disclosure and producing what can be disclosed.
Corporate accountability through a strong, tailored compliance program and thorough internal investigations should be the standard for your companies.
Corporate accountability through compliance, investigations and protections against breaches is a good practice for all of your companies. And in the Criminal Division, I am emphasizing accountability on our side as well, particularly through our work with regulators and other law enforcement agencies, and through increased transparency about our decision-making where possible.
Many of the cases handled by the Criminal Division also involve parallel investigations or civil or enforcement actions by civil or regulatory authorities. Even if certain misconduct could be pursued civilly or through regulatory action, criminal investigation and prosecution often is appropriate.
It is department policy that criminal prosecutors and civil attorneys coordinate with one another and with agency attorneys, to the extent permissible, to protect and advance the government’s overall interests. Early and effective coordination is critical to ensuring the efficient use of resources and the best ultimate outcome.
We have heard concerns expressed about regulatory “piling on.” We agree that there is the potential for unfairness when a company is asked to pay penalties and fines to different regulators and enforcement authorities based on the same set of facts.
Different law enforcement authorities have distinct and important functions. Companies know who their regulators are, and they know that they are subjecting themselves to those regulatory schemes and the laws of the countries in which they operate. But we are trying to address this concern and are mindful of making sure that companies are not punished unfairly.
Since becoming Assistant Attorney General, one of my priorities has been to ensure that the Criminal Division is as transparent as possible about its decision making. While we are limited in the information we can disclose to the public about matters in which we decline to prosecute, when we file charges, secure a guilty plea or enter into a deferred prosecution or non-prosecution agreement, the Criminal Division will place in the public record detailed information explaining the rationale for the particular resolution whenever possible.
Whether we secure a guilty plea or enter into an NPA or DPA, these resolutions generally have the same key components: admissions, a detailed statement of facts, remediation and/or enhanced compliance requirements and penalties. Depending on the facts and circumstances of a particular case, the Criminal Division also may require the imposition of a compliance monitor. Companies would be wise to study these publicly-available documents to measure their compliance or to assess their exposure.
In our view, increased transparency benefits everyone. From the Criminal Division’s perspective, if companies know the benefits that likely will flow from self-reporting or cooperating with the government’s investigation, we are confident that more companies will be willing to voluntarily disclose identified misconduct and cooperate, including against culpable individuals. In addition, transparency takes a significant amount of the guess work out of assessing the likely benefits of cooperation, as well as the costs of refusing to cooperate or offering limited or partial assistance.
Regardless of the form of resolution, the Criminal Division is committed to enforcing compliance with its terms. In particular, when a company that is subject to the terms of an NPA or a DPA violates the terms of the agreement, if proportional to the breach, the Criminal Division will not hesitate to tear up the agreement and prosecute the offending entity based on the admitted statement of facts. If we do so, as with the other resolutions, the Criminal Division will be transparent and include its rationale in publicly-filed documents. In addition to statements contained in public filings in cases investigated or prosecuted by the Criminal Division, our commitment to transparency also is effectuated by the participation of Criminal Division personnel in conferences such as this one.”