US Compliance Enforcement

The aggressive US enforcement landscape has encouraged an increasing focus on corporate compliance programmes. Companies under US jurisdiction can face significant consequences in white-collar matters, from long and intrusive government probes and reputational damage to headline-catching penalties. US authorities have been effective both in messaging the importance of compliance programmes and in providing concrete incentives for companies to invest in compliance, to self-police and – in the event an issue arises – to consider disclosing the misconduct and cooperating with authorities.[2] In this chapter, we explain how compliance factors into US white-collar enforcement and describe key considerations in that regard for companies facing potential enforcement actions and embarking on the reporting and settlement process with the US authorities.

US compliance enforcement landscape

The US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) have each set clear expectations with respect to compliance programmes through their enforcement actions, enforcement policies and public statements from their leadership. Generally, the DOJ has criminal and civil enforcement authority over misconduct with US touchpoints, whether through jurisdiction over US nationals, residents and businesses, including their agents, or over entities and individuals who engaged in misconduct while in the territory of the United States. The SEC, in turn, has civil jurisdiction over US issuers, including with regard to violations of statutory provisions that require maintenance of adequate internal controls and accurate books and records. Companies subject to SEC jurisdiction, in particular, tend to invest in more robust compliance programmes.

Both agencies expect pre-incident, proactive efforts by companies to implement tailored compliance programmes that address key operational risks and prevent the types of misconduct most likely to occur in a company’s line of business. The agencies view compliance programmes as the front line in combatting corporate misconduct by preventing it in the first place and expect that companies will not only maintain effective compliance programmes but also empower their compliance functions with the support of senior management and the company’s board of directors. Without sufficient investment in compliance, the government warns, companies face the risk of significant penalties down the line.[3]

Both agencies also closely evaluate the maturity of a compliance programme as they consider their charging decisions and structure of settlements. For instance, as is addressed in more detail below in ‘Compliance considerations in government reporting and settlement discussions’, assessment of a compliance programme can affect the type and duration of a non-trial resolution agreement and whether there is a need to impose an external compliance monitor.[4]

Companies and their compliance personnel are not in the dark with respect to the DOJ’s and the SEC’s expectations. As explained in Chapter 3, although there are ‘no formulaic requirements’,[5] the guidelines set forth in the DOJ’s ‘Evaluation of Corporate Compliance Programs’ (ECCP) in particular set the stage for the assessment of corporate compliance efforts.[6] The ECCP, which was issued in February 2017 and most recently updated in June 2020, contains the most comprehensive discussion of the government’s expectations with respect to compliance and is intended to assist prosecutors in evaluating compliance programmes as part of their enforcement decisions. The ECCP is structured around three fundamental questions: whether a compliance programme (1) is ‘well designed’, (2) ‘adequately resourced and empowered to function effectively’ and (3) works in practice.[7] In short, the government is looking for more than a ‘paper programme’. This position was well illustrated in a recent statement by Assistant Attorney General (AAG) Kenneth A Polite Jr, who noted that the government wants ‘to know more than dollars, headcount, and reporting lines’; will review the ‘qualifications and expertise of key compliance personnel and other gatekeeper roles’; and wants to see that ‘compliance officers have adequate access to and engagement with the business, management, and the board of directors’.[8]

Enforcement actions arising from compliance deficiencies

Lack of robust policies and internal controls, inadequate enforcement of adequate policies or controls, or other compliance failures can give rise to civil and criminal liability for companies. In the anti-corruption space in particular, enforcement actions often arise from companies’ inability to design and implement anti-corruption compliance measures to adequately address their operational risks. The DOJ’s and the SEC’s ‘Resource Guide to the Foreign Corrupt Practices Act’ (the FCPA Resource Guide) highlights that an ‘assessment of a company’s compliance program, including its design and good faith implementation and enforcement, is an important part of the government’s assessment of whether a violation occurred, and if so, what action should be taken’.[9]

The examples below from recent FCPA enforcement actions highlight some key considerations for companies looking to better implement and scale their compliance programmes. These enforcement actions serve as a helpful illustration of the DOJ’s and the SEC’s standards with respect to compliance, as well as a warning of the severity of consequences that can follow when the government’s expectations are not met.

The need to fully implement compliance policies

From an enforcement perspective, establishing a compliance programme is a necessary step, but certainly not a sufficient one. Although companies can place a lot of emphasis on designing robust policies, it is essential to implement and test equally robust processes to support those policies, because companies may face exposure for failing to follow their own compliance policies. In 2018, the SEC charged medical devices company Stryker with violations of the FCPA’s books and records and internal accounting controls provisions in connection with its business in India, China and Kuwait. This was the second time in five years that the company had been charged with FCPA violations.[10] Although Stryker had anti-corruption policies and internal controls in place, the SEC found that the company ‘failed to sufficiently implement its policies’.[11] Of particular note, the SEC found that Stryker failed to follow its own policies that required due diligence and training of sub-distributors in China, and, in Kuwait, failed to test whether its distributor would allow the company to exercise its audit rights or otherwise assure that it was complying with Stryker’s anti-bribery policy. Stryker agreed as part of the resolution to retain a compliance consultant to review and evaluate its internal controls, policies and procedures.[12]

The importance of adequate accounting controls

Internal accounting controls are an important consideration for US issuers in particular. In 2022, Korean telecommunications company KT Corporation paid US$6.3 million to settle charges that it used slush funds to give gifts and illegal political contributions in Korea, as well as using an intermediary to generate funds to pay bribes to government officials in Vietnam.[13] The SEC highlighted deficiencies in KT Corporation’s internal accounting controls, noting that the company ‘lacked sufficient internal accounting controls over charitable donations, third-party payments, executive bonuses, and gift card purchases’.[14]

Ensure senior support

Both the DOJ and the SEC have repeatedly noted the importance of ensuring that a company’s compliance function has the strong support of senior executives and the board of directors. This includes ‘tone at the top’. In 2020, US-based consumer loan company WAC resolved FCPA charges relating to its Mexican subsidiary. The SEC called out WAC’s management for having a tone at the top that ‘did not support robust internal audit and compliance functions, and undermined the effectiveness of those functions’.[15] In fact, WAC terminated the internal audit vice president after he raised compliance concerns, combined internal audit and compliance functions and imposed staffing pressure, and allowed a general counsel with no prior audit or accounting experience to be in charge of the combined function.[16] The company paid US$21.7 million to resolve the SEC’s charges.

Ensure sufficient compliance resources

Successful implementation of compliance policies and procedures is contingent on sufficient resource allocation into compliance. Companies that have established policies without adequate resources can still run into trouble. In 2019, the SEC charged the global oil and gas services company TechnipFMC plc with violations of the FCPA’s provisions on anti-bribery, books and records, and internal accounting controls in connection with payments made to a consultant who in turn paid bribes to Iraqi government officials.[17] The company agreed to pay US$5 million to settle with the SEC. Notably, the SEC’s order highlighted that TechnipFMC ‘devoted insufficient resources to compliance concerning its Iraq business’.[18]

Proper scaling of compliance programmes in international expansion

Aggressive international expansion, including through acquisition of foreign entities, can significantly heighten companies’ compliance risks. Several large FCPA actions in recent years arose from situations in which companies did not adequately scale their compliance programmes as they expanded their foreign operations into high-risk jurisdictions. For instance, in 2019, US-based Walmart Inc settled the DOJ’s and the SEC’s FCPA investigations that alleged the company was ‘valu[ing] international growth and cost-cutting over compliance’.[19] Walmart paid US$282 million to settle charges that it violated the FCPA’s provisions on books and records and internal controls relating to its subsidiaries in Mexico, Brazil, India and China.[20]

Similarly, in 2021, London-based WPP plc, the world’s largest advertising company, settled FCPA charges regarding the advertising agency’s subsidiaries in India, China, Brazil and Peru.[21] WPP had aggressively grown to employ approximately 100,000 people at more than 3,000 locations in 112 countries,[22] but despite the ‘known corruption and fraud risks inherent’ in its acquisitions (where founders and chief executive officers (CEOs) of the acquired entities retained significant control over local operations), WPP did not have a compliance department or proper coordination between its legal, internal audit and other units responsible for managing local subsidiaries.[23]

Finally, in 2022, the waste management company Stericycle settled parallel civil and criminal charges brought by US and Brazilian authorities in respect of bribery of foreign officials in Argentina, Brazil and Mexico.[24] According to Stericycle’s settlement papers, while expanding through acquisitions of local and regional businesses in Latin America, the company maintained a mostly decentralised compliance department and accounting processes.[25] The SEC announced its settlement order with a warning for rapidly expanding companies: ‘Companies in pursuit of global expansion cannot disregard the need for appropriate controls.’[26]

Compliance considerations in government reporting and settlement discussions

In active enforcement actions, compliance programmes are evaluated at several stages of a company’s dialogue with the government, and are an important factor in the government’s decisions about the scale and structure of resolutions for companies seeking a settlement. First, compliance considerations are specifically cited among the factors that prosecutors must consider when making charging decisions (i.e., The Principles of Federal Prosecution of Business Organizations,[27] known as the Filip Factors). Second, the strength of a compliance programme and a company’s remediation and enhancements are considered when awarding discounts on penalties. And third, compliance is, of course, the key consideration when authorities decide whether to impose an external monitor.

In light of this approach, companies engaged in a reporting relationship with the US authorities tend to place significant emphasis on proactively approaching compliance enhancements during the course of an investigation and in anticipation of settlement discussions, including to maximise available discounts and to mitigate the burden and costs of a monitorship. As the DOJ’s and the SEC’s expectations have become clearer through enforcement actions and formal policies, companies have become more sophisticated in their approach to remediation. In the past, compliance presentations to the authorities may have focused almost entirely on the contents of the company’s code of conduct and other policies; nowadays, companies are advised to provide more practical information to the government on their compliance programmes and explain exactly how they are implemented, tested and monitored over time.

Filip Factors

The maturity of a compliance programme is one of the factors that prosecutors consider in determining whether and what charges to bring in the first place. The DOJ’s Filip Factors list 11 considerations that companies should expect to discuss when seeking to convince the government not to bring charges or when negotiating a settlement, including two that specifically relate to a company’s compliance programme.[28] With respect to compliance, prosecutors are instructed to consider (1) the adequacy and effectiveness of the compliance programme at the time of the alleged misconduct and at the time of a charging decision, and (2) remedial actions, including any efforts to implement an adequate and effective corporate compliance programme or to improve an existing one.[29]

Of course, compliance programmes, even those that specifically prohibit the misconduct at issue, are not themselves sufficient to justify not charging a corporation,[30] but the existence of a robustly enforced and risk-tailored programme ‘may be considered in determining whether the employee in fact acted to benefit the corporation’, which then enables a prosecutor to determine ‘whether the corporation has adopted and implemented a truly effective compliance program that, when consistent with other federal law enforcement policies, may result in a decision to charge only the corporation’s employees and agents or to mitigate charges or sanctions against the corporation’.[31]

Enforcement authorities consider ‘reform’ as a factor in evaluating a corporation’s remedial efforts. Accordingly, the government recognises that although the inadequacy of a compliance programme may be to the corporation’s disadvantage, ‘quick recognition of the flaws in the program and [the corporation’s] efforts to improve the program are also factors to consider as to the appropriate disposition of a case’.[32] The Filip Factors demonstrate that compliance efforts do not have to be perfect to earn credit in a resolution, but there has to be proactive participation by the corporation at every stage.

The Filip Factors’ expectations for compliance programmes are very similar to the ECCP factors discussed above. Consistent with this practical approach, in applying the Filip Factors, the government will consider, among other elements:

  • the company’s culture of compliance;
  • resources dedicated to compliance;
  • the quality, experience, compensation, promotion and reporting structure of personnel involved in compliance;
  • the compliance function’s level of authority and independence and the availability of compliance expertise to the board;
  • the effectiveness of risk assessments and their use in tailoring the programme; and
  • auditing of the compliance programme.[33]

The key takeaway is that an effective compliance programme is not derived through a one-size-fits-all approach, but rather adapted to the company’s specific circumstances and evaluated, in part, based on a company’s size and resources.[34]

The government’s standards are again reflected in enforcement actions that cite to compliance enhancements. For instance, in 2020, the DOJ announced the landmark US$3.9 billion global settlement with Airbus, involving FCPA charges, which was coordinated with enforcement authorities in France and the United Kingdom. The DOJ’s deferred prosecution agreement (DPA) with Airbus referenced a number of compliance enhancements undertaken by Airbus.[35] The company was recognised for, among other initiatives, its hiring of new legal and compliance leadership, application of enhanced due diligence procedures, provision of additional compliance training to employees, enhancements relating to management of third-party relationships, and ongoing reviews of its compliance programme.[36] Partly because of its remediation efforts and the state of its compliance programme at the time of the resolution, Airbus was not required to retain an independent compliance monitor.

Similarly, in announcing Stericycle’s resolution in 2022, the SEC explained that the company did not have sufficient controls or a compliance department in place at the time of alleged misconduct to ‘prevent or even detect the misconduct’.[37] The DOJ and the SEC noted the company’s remediation in that regard:

  • divestment of problematic subsidiaries in Argentina and Mexico;
  • termination of relationships with problematic employees and third parties;
  • strengthening of its corporate governance by appointing new senior management and directors;
  • enhancement of its compliance infrastructure by hiring more local compliance personnel and an experienced chief ethics and compliance officer (who reports directly to the CEO and chair of the board’s audit committee);
  • updates to relevant policies and procedures; and
  • enhancement of internal reporting and risk assessment processes and anti-corruption compliance training.[38]

Remediation incentives

The best illustration of monetary incentives the authorities provide to incentivise compliance enhancements is the DOJ’s ‘Corporate Enforcement Policy’, which provides – initially in the FCPA space but now also more broadly – that voluntary self-disclosure, full cooperation, and timely and appropriate remediation can yield a 50 per cent reduction off the low end of the US Sentencing Guidelines[39] fine range (or 25 per cent absent self-disclosure).[40]

In practice, the remediation prong is satisfied by companies taking disciplinary action against wrongdoers, terminating problematic third-party relationships and payment streams, and enhancing their compliance programmes to better discourage, detect and prevent future violations. The DOJ has made it clear that ‘[i]mplementation of an effective compliance and ethics program’ is required to receive full remediation credit.[41]

By way of example, in June 2021, Amec Foster Wheeler Energy Limited, a subsidiary of a UK-based global engineering company, concluded a DPA with the DOJ to settle charges in respect of a bribery scheme in Brazil.[42] The company received the full 25 per cent cooperation and remediation discount because, among other factors, it engaged in significant remedial measures, such as ‘implementation of enhanced policies, procedures and internal controls relating to . . . anti-corruption compliance, including retention and management of commercial agents’, as well as enhancements to its training and internal reporting programmes, and dismissal of certain employees.[43] Similarly, when Deutsche Bank AG settled FCPA and market manipulation charges with the DOJ in January 2021, it received a 25 per cent discount off the middle of the Sentencing Guidelines range.[44] Its DPA noted that Deutsche Bank engaged in remedial measures, including ‘significantly’ enhancing its internal controls and anti-corruption programme, and its third-party intermediary programme on a global basis.[45] The Deutsche Bank DPA imposed requirements that all third-party arrangements be approved and be reviewed annually by the company’s anti-corruption function, and enhanced due diligence procedures and practices in respect of intermediaries.[46]

Compliance monitors

One of the most tangible incentives for compliance enhancements is the potential avoidance of an external monitor. The government views monitors as ‘effective tools for strengthening corporate compliance programs’[47] and as ‘allies’ to compliance personnel in creating ‘lasting, sustainable change in corporate culture’.[48] From a company’s perspective, however, the imposition of a multi-year monitorship is not only costly, but burdensome and potentially even disruptive to its operations.

The DOJ Office of the Deputy Attorney General’s memorandum of October 2021 (the Monaco Memorandum) outlines the government’s updated considerations regarding the imposition of monitors in corporate resolutions. The Monaco Memorandum recognises that independent corporate monitors can be an ‘effective resource in assessing a corporation’s compliance’ with the terms of a resolution and an ‘effective means of reducing the risk of repeat misconduct and compliance lapses identified during a corporate criminal investigation’.[49] Prosecutors are instructed to consider when determining whether an external monitor is appropriate: ‘(1) the potential benefits that employing a monitor may have for the corporation and the public, and (2) the cost of a monitor and its impact on the operations of a corporation.’[50] In civil cases, the government can also require that a company retain an independent compliance consultant or monitor to ‘provide an independent, third-party review of the company’s internal controls’.[51]

Although the DOJ and the SEC each can impose corporate monitors, their approach to monitorships has varied over the years. For instance, between 2015 and 2019, the government imposed monitors in approximately 20 per cent of FCPA resolutions, but then no monitors in 2020 and 2021. In 2021, the DOJ reversed Trump-era guidance that corporate monitors should be imposed as the exception rather than the rule, noting that prosecutors will consider a monitor where a compliance programme is ‘untested, ineffective, inadequately resourced, or not fully implemented at the time of a resolution’.[52] The DOJ invoked that language when imposing monitors on Stericycle and Glencore in 2022. Stericycle received a two-year monitorship as the company had ‘enhanced and has committed to continuing to enhance its compliance program’,[53] while Glencore received a three-year monitorship (the standard term) because the DOJ found that its compliance enhancements were new and ‘have not been fully implemented or tested to demonstrate that they would prevent and detect similar misconduct in the future’.[54] These recent decisions indicate that partial but incomplete remediation may nevertheless result in an undesirable monitorship.

Reporting on compliance to enforcement authorities

In light of the above-mentioned incentives for compliance remediation, companies often consider a more proactive approach to compliance enhancements in preparation and during a dialogue with enforcement authorities. For instance, a company dealing with an issue that arose from third-party relationships may not only terminate problematic relationships but also undertake a broader audit or risk-based review of third-party relationships. Similarly, issues relating to inter­national operations may prompt a company to undertake broader risk-based assessments in any high-risk jurisdictions in which they operate. These strategies are all intended to better position a company to maximise the cooperation and remediation credit and stave off the imposition of a monitor.

In a typical reporting relationship, companies will deliver a presentation to the government on their compliance programme and related enhancements and then respond to any enquiries and requests from the government for further information relating to their compliance efforts. The presentation can be a standalone remediation presentation or, especially in DOJ actions, included in the Filip Factors presentation, where company representatives meet with enforcement officials to present the company’s position on factors the agencies are known to consider in their charging and settlement decisions.

Importantly, during those presentations, companies will often face experienced compliance specialists at the other side of the table because the agencies have continued to invest in their internal compliance expertise. For instance, in 2015, the DOJ retained a full-time compliance expert, Hui Chen, to assist prosecutors when evaluating corporate compliance programmes as part of enforcement actions. Chen was highly regarded in her role but left the post in 2017, citing differences with the Trump administration.[55] After several years without clear direction about the role, the DOJ hired Lauren Kootman in March 2021 as a trial attorney and compliance specialist.[56] Kootman’s appointment coincided with the DOJ’s move towards building a team of dedicated compliance specialists. In March 2022, AAG Polite announced that the DOJ had ‘revamped’ the Criminal Division Fraud Section’s former Strategy, Policy, and Training Unit into the Corporate Enforcement, Compliance, and Policy Unit (CECP) with new management comprised of ‘prosecutors and former compliance and defense lawyers with deep experience in compliance, monitorships, and corporate enforcement matters’ and plans to continue building up the group.[57] CECP attorneys assess reports submitted by companies and evaluate progress by reviewing and testing compliance programmes and making enhancements, where necessary, to ensure that companies have ‘effective and sustainable’ compliance programmes.[58]

With this additional expertise on the government side, companies would be well advised to make their compliance presentations concrete and practical and ensure they are supported by metrics and data. Enforcement officials pay particular attention to answers provided by companies during Filip Factors presentations, which can be a real sign of the effectiveness of compliance programmes.[59] According to recent guidance provided by AAG Polite,[60] companies preparing for compliance presentations should keep in mind some important points:

  • Companies making presentations ‘will face tough and probing’ questions. The government expects companies to ‘demonstrate how a compliance program has been upgraded to address the root cause of the misconduct, and how it is being tested and updated to ensure that it is sustainable and adaptable to changing risk’.[61]
  • The government expects active and meaningful participation from the company’s chief compliance officer (CCO) (or equivalent position), who should be ‘leading the compliance presentation and demonstrating knowledge and ownership of the compliance program’.[62] In fact, Polite noted that the general counsel’s answering of a question that the DOJ posed to the CCO during a recent Filip Factors presentation demonstrated to Polite ‘literally and figuratively’ that the CCO had ‘no voice in that organization’.[63]
  • In addition to the CCO, other senior management is encouraged to participate in discussions, take ownership of their role in compliance, and demonstrate ‘commitment to compliance’.[64]

In summary, enforcement authorities focus on evaluating compliance programmes throughout the enforcement life cycle. The government takes into consideration a company’s compliance structure and efforts in (1) assessing any potential remediation credits, (2) making charging decisions, and (3) determining continuing reporting obligations or the need for an external monitor. Companies and their key personnel are expected to demonstrate thoughtful and active engagement throughout the entire process.

Post-settlement compliance enforcement

US authorities’ compliance enforcement does not stop with a negotiated resolution. A standard negotiated agreement, whether a DPA or a non-prosecution agreement (NPA), even in the absence of an external monitor, sets out continuing obligations with respect to maintenance of an effective compliance programme.[65] There are two recent trends that point to the government’s increasing focus on enforcement of those commitments.

First, the DOJ now requires a certification from corporations’ CEOs and CCOs at the end of a DPA or NPA that the company’s compliance programme is ‘reasonably designed and implemented to detect and prevent violations of the law . . . and is functioning effectively’.[66] When this new certification requirement was announced by AAG Polite in March 2022, he insisted that this step, rather than punitive, is intended to ‘empower’ CCOs by ensuring that they have data and access to ‘all relevant compliance-related information and can voice any concerns they may have prior to certification’.[67] It remains to be seen whether the DOJ will require this certification in every case or just in those that it views as egregious.

Second, the DOJ’s recently increased scrutiny of non-trial resolutions, and allegations of DPA breaches, further emphasise the importance of maintaining robust compliance programmes even after a settlement is reached. In October 2021, and again in March 2022, Ericsson announced that the DOJ had determined that the company had breached its 2019 DPA arising from FCPA violations.[68] Ericsson’s DPA, as is standard in FCPA settlements, included an ongoing commitment to cooperate with continued investigations and to truthfully disclose information in response to DOJ enquiries, as well as to proactively report any newly uncovered evidence or allegations of FCPA violations during the DPA’s three-year term.[69] The agreement provided that if the DOJ determined that Ericsson had breached the agreement by failing to uphold its obligations, the company could be subject to prosecution if its explanation was not satisfactory. The first breach involved the DOJ’s determination that Ericsson had failed to provide certain disclosures of relevant documents and factual information.[70] The second breach concerned insufficient disclosures made by Ericsson to the DOJ about its internal investigation into misconduct in Iraq.[71]

The first Ericsson breach announcement came at a time when US enforcement authorities had emphasised their commitment to holding companies accountable to their agreements with the government. In an October 2021 speech, the DOJ’s principal Associate Deputy Attorney General John Carlin warned companies with DPAs and other negotiated agreements that the agency would ‘make sure that those who get the benefit of such an arrangement comply with their responsibility[] [a]nd if not, [companies] should expect to see serious repercussions’. Carlin specified that violations of DPAs ‘may result in punishment greater than the original sentence’.[72]

Following Ericsson’s second breach, DOJ prosecutors found in March 2022 that Deutsche Bank had also violated its 2021 DPA arising from FCPA and market manipulation charges.[73] DOJ prosecutors determined that Deutsche Bank had violated its DPA by failing to timely disclose a whistleblower complaint regarding the bank’s investments in environmental, social and governance initiatives, which was discovered by the DOJ from media reports.[74] As a result of the breach, Deutsche Bank’s monitorship was extended for another year (i.e., until February 2023).[75]

Overall, these examples demonstrate unequivocally that successful compliance and remedial efforts must continue past the point of a resolution of a white-collar matter. As Deputy Attorney General Lisa Monaco announced in October 2021, DPAs and NPAs are not a ‘free pass’, and violation of their obligations carry significant risk of harsher enforcement.[76]


Enforcement history, government guidance and recent trends all point in the same direction: compliance is a critical aspect of corporate enforcement in the United States. Companies subject to US jurisdiction are advised to make a concerted and continuous effort towards building and maintaining an effective compliance programme to prevent wrongdoing or, should an issue arise, position themselves favourably during interactions with enforcement authorities and maximise the prospect of securing a successful resolution. The government is clear in expecting a carefully planned, well-resourced and flexible compliance programme that can be adapted to changes in the circumstances and size of a business.

As described above, compliance programmes affect every part of a company’s interactions with US enforcement authorities. Authorities expect proactive efforts by companies to implement tailored compliance programmes to address their main risks and prevent the types of misconduct most likely to occur in their businesses. For companies that find themselves subject to government inquiries, authorities closely evaluate compliance programme maturity during the course of their investigations and account for compliance enhancements when considering charging decisions, and – if deciding to proceed – the nature and structure of resolutions, the amount of penalties and the need for an external monitor. And because resolutions impose continuing obligations regarding maintenance and enhancement of compliance programmes, the emphasis on compliance does not stop with a negotiated resolution. In short, as the government continues to warn, it pays to invest in compliance early.


[1] Kara Brockmeyer is a partner, Ivona Josipovic is a counsel and Andreas A Glimenakis and Berk Guler are associates at Debevoise & Plimpton LLP.

[2] See, e.g., Justice Manual (JM) § 9-28.800, at
 (last accessed 6 July 2022) (‘The Department encourages such corporate self-policing, including voluntary disclosures to the government of any problems that a corporation discovers on its own.’).

[3] U.S. Dep’t of Justice (DOJ), ‘Assistant Attorney General Kenneth A. Polite Jr. Delivers Remarks at NYU Law’s Program on Corporate Compliance and Enforcement (PCCE)’ (25 March 2022) (Polite Speech),
 (last accessed 6 July 2022).

[4] See DOJ, Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (updated June 2020) (ECCP), (last accessed 6 July 2022); DOJ, Criminal Division and U.S. Sec. & Exch. Comm’n (SEC), Enforcement Division, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’, Second Edition (July 2020) (FCPA Resource Guide), (last accessed 6 July 2022) (noting that ‘DOJ and SEC also consider the adequacy of a company’s compliance program at the time of the misconduct and at the time of the resolution when deciding what, if any action, to take’).

[5] JM, § 9-28.800, cmt.

[6] See ECCP (op. cit. note 4).

[7] ibid., at 2. See Chapter 3 for additional discussion.

[8] Polite Speech (op. cit. note 3, above).

[9] FCPA Resource Guide (op. cit. note 4), at 56–57.

[10] SEC, Press Release No. 2018-222, ‘SEC Charges Stryker a Second Time for FCPA Violations’ (28 September 2018), (last accessed 6 July 2022).

[11] In re Stryker Corporation, Securities Exchange Act of 1934 Rel. No. 84308, Accounting and Auditing Enforcement Rel. No. 3990, Admin. Proc. File No. 3-18853, ¶¶ 5–7 (28 September 2018), (last accessed 6 July 2022).

[12] ibid., at ¶ V(D)(6).

[13] In re KT Corporation, Securities Exchange Act of 1934 Rel. No. 94279, Admin. Proc. File No. 3-20780 (17 February 2022), (last accessed 6 July 2022).

[14] SEC, Press Release No. 2022-30, ‘Largest South Korean Telecommunications Co. Agrees to Pay the SEC to Settle FCPA Charges’ (17 February 2022),
 (last accessed 6 July 2022).

[15] In re World Acceptance Corporation, Securities Exchange Act of 1934 Rel. No. 89489, Accounting and Auditing Enforcement Rel. No. 4158, Admin. Proc. File No. 3-19905 (6 August 2020), (last accessed 6 July 2022).

[16] ibid., at ¶ 14.

[17] In re TechnipFMC plc., Securities Exchange Act of 1934 Rel. No. 87055, Accounting and Auditing Enforcement Rel. No. 4087, Admin. Proc. File No. 3-19493 (23 September 2019), (last accessed 6 July 2022). TechnipFMC also entered into a parallel resolution with the DOJ in relation to bribery schemes in Brazil and Iraq. See DOJ, Press Release No. 19-714, ‘TechnipFMC Plc and U.S.-Based Subsidiary Agree to Pay Over $296 Million in Global Penalties to Resolve Foreign Bribery Case’ (25 June 2019),
 (last accessed 6 July 2022).

[18] ibid., at ¶ 8.

[19] SEC, Press Release No. 2019-102, ‘Walmart Charged With FCPA Violations’ (20 June 2019), (last accessed 6 July 2022).

[20] In re Walmart Inc., Securities Exchange Act of 1934 Rel. No. 86159, Accounting and Auditing Enforcement Rel. No. 4054, Admin. Proc. File No. 3-19207 (20 June 2019), (last accessed 6 July 2022).

[21] In re WPP plc, Securities Exchange Act of 1934 Rel. No. 93117, Accounting and Auditing Enforcement Rel. No. 4257, Admin. Proc. File No. 3-20595 (24 September 2021), (last accessed 6 July 2022).

[22] ibid., at ¶ 6.

[23] ibid., at ¶ 7.

[24] See Deferred Prosecution Agreement, United States of America v. Stericycle, Inc., Case No. 22-cr-20156-KMM (S.D. Fla. 18 April 2022) (Stericycle DPA), (last accessed 6 July 2022); In re Stericycle, Inc., Securities Exchange Act Release No. 94760 (20 April 2022) (Stericycle Order), (last accessed 6 July 2022).

[25] Stericycle Order (op. cit. note 24), at ¶¶ 4–7.

[26] SEC, Press Release No. 2022-65, ‘SEC Charges Stericycle with Bribery Schemes in Latin America’ (20 April 2022) (Stericycle Press Release), press-release/2022-65 (last accessed 6 July 2022).

[27] JM § 9-28.300 (Filip Factors).

[28] Filip Factors (op. cit. note 27).

[29] The DOJ clarifies that the Filip Factors do not constitute an exhaustive list, and some factors may not apply to individual cases. ibid., at cmt.

[30] JM § 9-28.800 at cmt. (‘The existence of a corporate compliance program, even one that specifically prohibited the very conduct in question, does not absolve the corporation from criminal liability under the doctrine of respondeat superior.’).

[31] id. (citing United States v. Beusch, 596 F.2d 871, 878 (9th Cir. 1979)).

[32] JM § 9-28.1000.

[33] JM § 9-47.120(3)(c).

[35] Deferred Prosecution Agreement, United States of America v. Airbus SE, Case No. 1:20-cr-00021-TFH (D.D.C. 31 January 2020), (last accessed 6 July 2022).

[36] ibid., at ¶ 4, paras. (d) and (e).

[37] Stericycle Press Release (op. cit. note 26).

[38] Stericycle DPA (op. cit. note 24), at ¶ 4(d); Stericycle Order (op. cit. note 24), at ¶¶ 27–28.

[39] United States Sentencing Commission, ‘Guidelines Manual 2021’.

[40] JM § 9-47.120.

[41] JM § 9-47.120(3).

[42] See Deferred Prosecution Agreement, United States of America v. Amec Foster Wheeler Energy Limited, Case No. 21-cr-298 (KAM) (E.D.N.Y. 25 June 2021) (Amec Foster DPA), (last accessed 6 July 2022).

[43] ibid., at ¶ 4.

[44] See Deferred Prosecution Agreement, United States of America v. Deutsche Bank Aktiengesellschaft, Case No. 20-00584 (RPK) (RML) (E.D.N.Y. 8 January 2021) (Deutsche Bank DPA), (last accessed 6 July 2022).

[45] ibid., at ¶ 4.

[47] Polite Speech (op. cit. note 3, above).

[49] DOJ, Memorandum from the Deputy Attorney General (Lisa O. Monaco), ‘Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies’ (28 October 2021) (Monaco Memorandum), (last accessed 6 July 2022).

[50] ibid., at 4.

[51] FCPA Resource Guide (op. cit. note 4), at 74.

[52] Monaco Memorandum (op. cit. note 49), at 4.

[53] Stericycle DPA (op. cit. note 24), at ¶ 4.

[54] DOJ, Press Release No. 22-176, ‘Glencore Entered Guilty Pleas To Foreign Bribery And Market Manipulation Conspiracies’ (24 May 2022), (last accessed 6 July 2022).

[55] Clara Hudson, ‘DOJ makes good on compliance hiring pledge’, Global Investigations Review (2 March 2021), -good-compliance-hiring-pledge (last accessed 6 July 2022). It was also recognised at the time by former AAG Brian Benczkowski that the consolidation of compliance expertise in a single person created ‘inherent limitations’.

[56] Dylan Tokar, ‘Justice Department’s Foreign Bribery Unit Adds Prosecutors, Compliance Expertise’, The Wall Street Journal (8 March 2021) -departments-foreign-bribery-unit-adds-prosecutors-compliance-expertise-11615199402 (last accessed 6 July 2022).

[57] Polite Speech (op. cit. note 3, above).

[59] Adam Dobrik, ‘Andrew Wiessman: A key question in the Filip factors presentation’, Global Investigations Review (23 May 2016), just-anti-corruption/andrew-weissmann-key-question-in-the-filip-factors-presentation (last accessed 6 July 2022).

[60] Polite Speech (op. cit. note 3, above).

[63] Kyle Brasseur, ‘DOJ’s Kenneth Polite to CCOs: Tell me your compliance success stories’, Compliance Week (17 May 2022), -stories/31692.article (last accessed 6 July 2022).

[65] See, e.g., Deferred Prosecution Agreement, United States v. Herbalife Nutrition Ltd., Document 4-1, Letter to Patrick F. Stokes, et al., Case 1:20-cr-00443-GHW, Attachment C (1 September 2020), -nutrition-ltd (last accessed 6 July 2022). Through Attachment C of a DPA, the company makes representations regarding its efforts to enhance and enforce its compliance policies and procedures. Attachment C also sets out the parameters of the required compliance programme, and the company’s reporting obligations to the government.

[66] Polite Speech (op. cit. note 3, above). See Plea Agreement, United States v. Glencore International A.G., ¶ 9 (S.D.N.Y. 24 May 2022), (last accessed 6 July 2022).

[67] Polite Speech (op. cit. note 3, above).

[68] Deferred Prosecution Agreeement, United States v. Telefonaktiebolaget LM Ericsson, Letter to Cheryl J. Scarboro, et al. (26 November 2019), (last accessed 6 July 2022).

[69] ibid., at ¶ 5.

[70] Telefonaktiebolaget LM Ericsson, Press Release, ‘Update on Deferred Prosecution Agreement’ (21 October 2021), (last accessed 6 July 2022).

[71] Telefonaktiebolaget LM Ericsson, Press Release, ‘Update on Deferred Prosecution Agreement’ (2 March 2022), update-on-deferred-prosecution-agreement (last accessed 6 July 2022).

[72] ‘John Carlin on stepping up DOJ corporate enforcement’, Global Investigations Review (11 October 2021), 2020/article/john-carlin-stepping-doj-corporate-enforcement (last accessed 6 July 2022).

[73] See Deutsche Bank DPA (op. cit. note 44).

[74] Patricia Kowsmann, ‘Deutsche Bank Violates DOJ Settlement, Agrees to Extend Outside Monitor’, The Wall Street Journal (11 March 2022), deutsche-bank-violates-doj-settlement-agrees-to-extend-outside-monitor-11647016959 (last accessed 6 July 2022).

[76] DOJ, ‘Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime’ (28 October 2021), speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th -national-institute (last accessed 6 July 2022).

Unlock unlimited access to all Global Investigations Review content