US Compliance Enforcement

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

The aggressive US enforcement landscape has encouraged an increasing focus on, and heightened expectations for, corporate compliance programmes. Companies under US jurisdiction can face significant consequences in white-collar matters, including long and intrusive government probes, civil and criminal liability, reputational damage and headline-catching penalties. US authorities have been effective both in communicating the importance of compliance programmes and in providing concrete incentives for companies to invest in compliance, to self-police and – in the event an issue arises – to consider disclosing the misconduct and cooperating with authorities.[2]

In this chapter, we explain how compliance factors into US white-collar enforcement and describe key considerations for companies facing potential enforcement actions and embarking on the reporting and settlement process with the US authorities.

US compliance enforcement landscape

The US Department of Justice (DOJ) and the US Securities and Exchange Commission (SEC) continue to raise expectations with respect to compliance programmes through their enforcement actions, enforcement policies and public statements from their leadership. Generally, the DOJ has criminal and civil enforcement authority over misconduct with US touchpoints, whether through jurisdiction over US nationals, residents and businesses, including their agents, or over entities and individuals that engaged in misconduct while in US territory. The SEC has civil jurisdiction over US issuers, including with regard to violations of statutory provisions that require maintenance of adequate internal accounting controls and accurate books and records. Companies subject to SEC jurisdiction, in particular, tend to invest in more robust compliance programmes.

Both agencies expect pre-incident, proactive efforts by companies to devise and implement tailored compliance programmes that address key operational risks and prevent the types of misconduct most likely to occur in a company’s line of business. The agencies view compliance programmes as the front line in combating corporate misconduct by preventing it in the first place and expect that companies will not only maintain effective compliance programmes but also empower their compliance functions with the support of senior management and the company’s board of directors. The government warns that without sufficient investment in compliance up front, companies face the risk of significant penalties down the line.[3]

Both agencies also closely evaluate the effectiveness of a compliance programme, both at the time of misconduct and at the point of resolution, as they consider their charging decisions and structure of settlements. For instance, as is addressed in more detail below in ‘Compliance considerations in government reporting and settlement discussions’, assessment of a compliance programme can affect the type and duration of a non-trial resolution agreement and whether there is a need to impose an external compliance monitor.[4]

As explained in Chapter 3 on ‘US Compliance Requirements’, although there are ‘no formulaic requirements’,[5] the DOJ’s ‘Evaluation of Corporate Compliance Programs’ (ECCP) guidelines – first issued in February 2017 and most recently updated in March 2023 – contains the most comprehensive discussion of the government’s expectations with respect to compliance and is intended to assist prosecutors in evaluating compliance programmes as part of their enforcement decisions. The ECCP is structured around three fundamental questions: whether a compliance programme is (1) ‘well designed’, (2) ‘adequately resourced and empowered to function effectively’ and (3) ‘work[s] in practice’.[6]

The DOJ’s compliance expectations continue to escalate, as seen in the recently revised ECCP formalising additional requirements in connection with two increasingly important areas: monitoring off-system communications and implementing compliance-promoting compensation structures.[7] In short, the government is looking for more than a ‘paper programme’. This position was well illustrated in recent DOJ statements noting, for instance, that ‘resourcing a compliance department is not enough; it must also be backed by, and integrated into, a corporate culture that rejects wrongdoing for the sake of profit’.[8]

Enforcement actions arising from compliance deficiencies

Lack of robust policies and internal controls, inadequate enforcement of adequate policies or controls, or other compliance failures can give rise to civil and criminal liability for companies. In the anti-corruption space in particular, enforcement actions often arise from companies’ failure to design and implement anti-corruption compliance measures to adequately address their operational risks. The DOJ’s and the SEC’s ‘Resource Guide to the Foreign Corrupt Practices Act’ (the FCPA Resource Guide) highlights that an ‘assessment of a company’s compliance program, including its design and good faith implementation and enforcement, is an important part of the government’s assessment of whether a violation occurred, and if so, what action should be taken’.[9]

The examples below from recent enforcement actions illustrate some key considerations for companies looking to better design, implement and scale their compliance programmes.

The need to fully implement compliance policies

From an enforcement perspective, establishing a compliance programme is a necessary step, but certainly not a sufficient one. Although companies can place a lot of emphasis on designing robust policies, it is essential to implement and test equally robust processes to support those policies.

In May 2023, the Netherlands-based medical device manufacturer Koninklijke Philips NV (Philips) paid US$62 million to settle the SEC’s charges that it had violated the FCPA’s books and records and internal accounting controls provisions in relation to the sale of diagnostic equipment in China.[10] The SEC found that Philips’ subsidiaries in China, by giving special price discounts to distributors, created a risk of large distributor margins enabling improper payments to employees of public hospitals. It also found that Philips did not enforce its existing due diligence, training or testing procedures related to the engagement of distributors, despite remedial measures that had been taken in connection to its prior 2013 FCPA settlement.[11] As part of the resolution, Philips agreed to self-report to the SEC on its ongoing remediation and compliance enhancements over a two-year period.[12]

The importance of adequate accounting controls

Internal accounting controls and the keeping of adequate books and records are important considerations for US issuers in particular. Over the past five years, approximately half of the FCPA cases brought by the SEC involve only these accounting charges and not a bribery charge. They can also result in sizeable penalties.

In 2019, US-based Walmart Inc paid more than US$282 million to settle DOJ and SEC investigations that found only violations of the FCPA’s accounting provisions.[13] In 2022, Korean telecommunications company KT Corporation paid US$6.3 million to settle charges that it ‘lacked sufficient internal accounting controls over charitable donations, third-party payments, executive bonuses, and gift card purchases’ when the SEC alleged it used slush funds to give gifts and illegal political contributions in Korea and used an intermediary to generate funds to pay bribes to government officials in Vietnam.[14] Similarly, the SEC charged Philips in the above-mentioned 2023 action with deficient internal accounting controls regarding the use of third parties and management’s approval of pricing discounts.[15]

Ensure senior support

Both the DOJ and the SEC have repeatedly noted the importance of ensuring that a company’s compliance function has access to and the strong support of senior executives and the board of directors. This includes ‘tone at the top’. In 2020, US-based consumer loan company World Acceptance Corporation (WAC) paid US$21.7 million to resolve FCPA charges relating to its Mexican subsidiary. The SEC called out WAC’s management for having a tone at the top that ‘did not support robust internal audit and compliance functions, and undermined the effectiveness of those functions’.[16] In fact, WAC terminated the internal audit vice president after he raised compliance concerns, combined internal audit and compliance functions and imposed staffing pressure, and allowed a general counsel with no prior audit or accounting experience to lead the combined function.[17]

Ensure sufficient compliance resources

Successful implementation of compliance policies and procedures requires sufficient resource allocation into compliance. Companies that have established policies without adequate resources can still run into trouble. For example, in 2019, global oil and gas services company TechnipFMC plc paid US$5 million to settle SEC charges that it violated the FCPA in connection with payments made to a consultant who in turn paid bribes to Iraqi government officials.[18] Notably, the SEC’s order highlighted that TechnipFMC ‘devoted insufficient resources to compliance concerning its Iraq business’.[19]

Proper scaling of compliance programmes in international expansion

Aggressive international expansion, including through acquisition of foreign entities, can significantly heighten companies’ compliance risks and increase the government’s expectations as to companies’ compliance controls. Several FCPA actions in recent years arose from situations in which companies did not adequately scale their compliance programmes as they expanded their operations into high-risk jurisdictions. For instance, in 2019, as noted above, US-based Walmart Inc settled the DOJ’s and the SEC’s FCPA investigations that alleged the company was ‘valu[ing] international growth and cost-cutting over compliance’.[20] Walmart paid US$282 million to settle charges that it violated the FCPA’s provisions on books and records and internal controls relating to its subsidiaries in Mexico, Brazil, India and China.

Similarly, in 2021, London-based WPP plc, the world’s largest advertising company, settled FCPA charges regarding the advertising agency’s subsidiaries in India, China, Brazil and Peru.[21] WPP had aggressively grown to employ approximately 100,000 people at more than 3,000 locations in 112 countries,[22] but despite the ‘known corruption and fraud risks inherent’ in its acquisitions (where founders and chief executive officers (CEOs) of the acquired entities retained significant control over local operations), WPP did not have a compliance department or proper coordination between its legal, internal audit and other units responsible for managing local subsidiaries.[23]

In 2022, the waste management company Stericycle settled parallel civil and criminal charges brought by US and Brazilian authorities in respect of bribery of foreign officials in Argentina, Brazil and Mexico.[24] According to Stericycle’s settlement papers, while expanding through acquisitions of local and regional businesses in Latin America, the company maintained a mostly decentralised compliance department and accounting processes.[25] The SEC announced its settlement order with a warning for rapidly expanding companies: ‘Companies in pursuit of global expansion cannot disregard the need for appropriate controls.’[26]

Companies seeking to expand through acquisitions should be mindful of successor liability and should make pre-acquisition due diligence and integration of acquired entities into its compliance structure an integral component of its compliance programme. DOJ prosecutors are instructed to place less weight on prior misconduct committed by an acquired entity if the acquirer fully and timely remediated the misconduct and integrated the acquired entity into ‘an effective, well-designed compliance program’.[27]

Furthermore, self-disclosure of wrongdoing at an acquired entity that is discovered through due diligence entitles a company to a presumption of declination by the DOJ.[28] For example, despite evidence of FCPA violations having been committed by a subsidiary prior to its acquisition by French aerospace company Safran, in relation to obtaining train lavatory contracts with the Chinese government, the DOJ resolved the matter via a declination with disgorgement of US$17.9 million because of Safran’s timely and voluntary self-disclosure (after post-acquisition due diligence), proactive cooperation and full remediation (including terminating responsible employees).[29]

Carefully consider ‘off-system’ communications

The proliferation of personal devices and various messaging communication platforms continues to be an area of increased focus for enforcement authorities, particularly where these ‘off-system’ communication channels are used for business communications. In September 2022, the SEC and the Commodity Futures Trading Commission charged 16 banks and brokerages with ‘widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications.’[30] Importantly, several of the SEC’s orders highlighted not only the use of pervasive off-system texting, but also the practice by senior executives tasked with enforcing compliance policies of frequently engaging in off-system business communications.[31] The charged firms agreed to pay combined penalties of more than US$1.8 billion.

The DOJ has broadened its focus to all companies, not just those subject to record-keeping requirements under the federal securities laws. Several FCPA actions brought by the DOJ have specifically cited evidence gathered from such messaging platforms.[32] A September 2022 DOJ address provided a general rule that companies’ compliance programmes should contain effective and enforced policies governing the use of personal devices and messaging platforms and clear employee training and enforcement of those policies,[33] and March 2023 updates to the DOJ’s ECCP guidelines and the DOJ Criminal Division’s ‘Corporate Enforcement and Voluntary Self-Disclosure Policy’ (CEP) explicitly tied a company’s approach to the use of personal devices and messaging platforms with both cooperation and remediation credit.[34]

Compliance considerations in government reporting and settlement discussions

In active enforcement actions, compliance programmes are evaluated at several stages of a company’s dialogue with the government, and are an important factor in the government’s decisions about the scale and structure of resolutions for companies seeking a settlement: first, compliance considerations are specifically cited among the factors that prosecutors must consider when making charging decisions (i.e., The Principles of Federal Prosecution of Business Organizations,[35] known as the Filip Factors); second, the strength of a compliance programme and a company’s remediation and enhancements are considered when awarding discounts on penalties; and third, the current effectiveness of a compliance programme is the key consideration when authorities decide whether to impose an external monitor.

In light of this approach, companies engaged in a reporting relationship with US authorities tend to place significant emphasis on proactively implementing compliance enhancements during the course of an investigation and in anticipation of settlement discussions, including to maximise available discounts and to mitigate the burden and costs of a monitorship. As the DOJ’s and the SEC’s expectations have become clearer through enforcement actions and formal policies, companies have become more sophisticated in their approach to remediation. In the past, compliance presentations to the authorities may have focused almost entirely on the contents of the company’s code of conduct and other policies; nowadays, companies are advised to provide more practical information to the government regarding their compliance programmes and to explain exactly how they are implemented, tested and monitored over time to demonstrate effectiveness.

Filip Factors

The maturity of a compliance programme is one of the factors that prosecutors consider in determining whether and what charges to bring. The DOJ’s Filip Factors list 11 considerations that companies should expect to discuss when seeking to convince the government not to bring charges or when negotiating a settlement, including two that specifically relate to a company’s compliance programme.[36] With respect to compliance, prosecutors are instructed to consider (1) the adequacy and effectiveness of the compliance programme at the time of the alleged misconduct and at the time of a charging decision, and (2) remedial actions, including any efforts to implement an adequate and effective corporate compliance programme or to improve an existing one.[37]

Compliance programmes, even those that specifically prohibit the misconduct at issue, are not themselves sufficient to justify not charging a corporation,[38] but the existence of a robustly enforced and risk-tailored programme ‘may be considered in determining whether the employee in fact acted to benefit the corporation’, which then enables a prosecutor to determine ‘whether the corporation has adopted and implemented a truly effective compliance program that, when consistent with other federal law enforcement policies, may result in a decision to charge only the corporation’s employees and agents or to mitigate charges or sanctions against the corporation’.[39]

Enforcement authorities consider ‘reform’ as a factor in evaluating a corporation’s remedial efforts. Accordingly, the government recognises that although the inadequacy of a compliance programme may be to the corporation’s disadvantage, ‘quick recognition of the flaws in the program and [the corporation’s] efforts to improve the program are also factors to consider as to the appropriate disposition of a case’.[40] The Filip Factors demonstrate that compliance efforts do not have to be perfect to earn credit in a resolution, but there has to be proactive participation by the corporation at every stage.

The Filip Factors’ expectations for compliance programmes are very similar to the ECCP factors discussed above. Consistent with this practical approach, in applying the Filip Factors, the government will consider, among other elements:

  • the company’s culture of compliance;
  • resources dedicated to compliance;
  • the quality, experience, compensation, promotion and reporting structure of personnel involved in compliance;
  • the compliance function’s level of authority and independence and the availability of compliance expertise to the board;
  • the effectiveness of risk assessments and their use in tailoring the programme; and
  • auditing of the compliance programme.[41]

The key takeaway is that an effective compliance programme is not derived through a one-size-fits-all approach, but rather adapted to the company’s specific circumstances and evaluated, in part, based on a company’s size and resources.[42] Overall, the Filip Factors, the ECCP and the CEP all provide relevant factors to be considered when determining whether the company is adequately addressing relevant risks and effectively working to detect, prevent, and mitigate potential misconduct.

The government’s standards are again reflected in enforcement actions that cite to compliance enhancements. For instance, in announcing Stericycle’s resolution in 2022, the SEC explained that the company did not have sufficient controls or a compliance department in place at the time of alleged misconduct to ‘prevent or even detect the misconduct’.[43] The DOJ and the SEC noted the company’s remediation in that regard:

  • divestment of problematic subsidiaries in Argentina and Mexico;
  • termination of relationships with problematic employees and third parties;
  • strengthening of its corporate governance by appointing new senior management and directors;
  • enhancement of its compliance infrastructure by hiring more local compliance personnel and an experienced chief ethics and compliance officer (who reports directly to the CEO and chair of the board’s audit committee);
  • updates to relevant policies and procedures; and
  • enhancement of internal reporting and risk assessment processes and anti-corruption compliance training.[44]

Remediation incentives

The best illustration of monetary incentives US authorities provide to incentivise compliance enhancements is the CEP, which provides that voluntary self-disclosure, full cooperation, and timely and appropriate remediation lead to the presumption of a declination if there are no aggravating factors and, in the event that an enforcement action is warranted, can still yield a 75 per cent reduction off the low end of the US Sentencing Guidelines[45] fine range (or 50 per cent absent self-disclosure).[46]

Most recently updated in January 2023,[47] the CEP increased various incentives available to companies undergoing criminal investigations: in addition to even higher penalty reductions, the updated CEP provides that prosecutors may offer declinations even in cases where certain aggravating factors (e.g., recidivism) are present, as long as the company immediately self-disclosed, provided ‘extraordinary’ cooperation and remediation and has an effective compliance programme and system of internal accounting controls that identified the misconduct that enabled the self-disclosure.[48]

Even in cases that result in enforcement actions, if a company self-discloses wrongdoing, DOJ will generally not require a corporate guilty plea or appoint an external monitor if the company can demonstrate that it has implemented and tested an effective compliance programme;[49] in other words, the DOJ’s most recent changes to the CEP significantly increase the incentives for self-disclosure (i.e. higher likelihood of declinations and lower likelihood of parent guilty pleas and monitorships), which DOJ acknowledges are made possible by effective compliance programmes.

In practice, the remediation prong is satisfied by companies taking disciplinary action against wrongdoers, terminating problematic third-party relationships and payment streams, and enhancing their compliance programmes to better detect and prevent future violations. ‘Implementation of an effective compliance and ethics program’ is required to receive full remediation credit.[50]

For example, in December 2022, ABB Ltd, a Swiss multinational technology firm, resolved DOJ and SEC investigations relating to an alleged bribery scheme that primarily occurred in South Africa.[51] Despite being an FCPA recidivist, the company received full cooperation and remediation credit from the DOJ, because, among other things, it promptly provided information obtained through its internal investigation, produced documents and translations, voluntarily made foreign-based employees available for interviews in the United States, hired experienced compliance personnel, conducted a root-cause analysis, invested significantly in compliance monitoring, conducted continuing testing and assessment and promptly disciplined responsible employees.[52] While ABB ultimately did not receive credit for voluntary disclosure, the DOJ nevertheless highlighted the company’s efforts in that regard.[53]

Compliance monitors

One of the most tangible incentives for compliance enhancements is the potential avoidance of an external monitor. The government views monitors as ‘effective tools for strengthening corporate compliance programs’[54] and as ‘allies’ to compliance personnel in creating ‘lasting, sustainable change in corporate culture’.[55] From a company’s perspective, however, the imposition of a multi-year monitorship is not only costly, but burdensome and potentially even disruptive to its operations.

The DOJ Office of the Deputy Attorney General’s memorandum of October 2021 (the 2021 Monaco Memorandum) outlined the government’s updated considerations regarding the imposition of monitors in corporate resolutions. The Monaco Memorandum recognised that independent corporate monitors can be an ‘effective resource in assessing a corporation’s compliance’ with the terms of a resolution and an ‘effective means of reducing the risk of repeat misconduct and compliance lapses identified during a corporate criminal investigation’.[56]

More recently, the 2022 Monaco Memorandum provided a non-exhaustive list of 10 factors that prosecutors should consider when deciding whether to require a monitor.[57] These factors include, among other things, whether the company voluntarily self-disclosed, whether the underlying conduct revealed weaknesses in the compliance programme and whether, at the time of the resolution, the corporation implemented an ‘effective compliance program and sufficient internal controls’ to detect and prevent similar misconduct in the future.[58] In civil cases, the government can also require that a company retain an independent compliance consultant or monitor to ‘provide an independent, third-party review of the company’s internal controls’.[59]

Although the DOJ and the SEC each can impose corporate monitors, the frequency of their imposition has varied over the years. For instance, between 2015 and 2019, the government imposed monitors in approximately 20 per cent of FCPA resolutions, but no monitors in 2020 and 2021. In 2021, the DOJ reversed Trump-era guidance that corporate monitors should be imposed as the exception rather than the rule, noting that prosecutors will consider a monitor where a compliance programme is ‘untested, ineffective, inadequately resourced, or not fully implemented at the time of a resolution’.[60]

The DOJ invoked that language when imposing monitors on Stericycle and Glencore in 2022: Stericycle received a two-year monitorship as the company had ‘enhanced and has committed to continuing to enhance its compliance program’,[61] while Glencore received a three-year monitorship (the standard term) because the DOJ found that its compliance enhancements were new and ‘have not been fully implemented or tested to demonstrate that they would prevent and detect similar misconduct in the future’.[62] These recent decisions indicate that partial but incomplete remediation may nevertheless result in a monitorship.

Reporting on compliance to enforcement authorities

In light of the above-mentioned incentives for timely and appropriate remediation, including implementation of a compliance programme that has been tested and shown to be effective, companies often consider a more proactive approach to compliance enhancements in dialogue with enforcement authorities. For instance, a company dealing with an issue that arose from third-party relationships may not only terminate relationships with culpable employees and third parties, but also undertake a broader audit or risk-based review of third-party relationships, attempt to claw back compensation from responsible employees,[63] bolster relevant policies and procedures and provide tailored training to employees and relevant third parties. Similarly, issues relating to international operations may prompt a company to undertake broader risk-based assessments in any high-risk jurisdictions in which they operate. These strategies are intended to better position a company to maximise remediation credit and stave off the imposition of a monitor.

In a typical reporting relationship, companies will deliver a presentation to the government on their compliance programme and related enhancements and respond to any inquiries and requests from the government for further information relating to their compliance efforts. The presentation can be a stand-alone remediation presentation or, especially in DOJ actions, included in the Filip Factors presentation, in which company representatives meet with enforcement officials to present the company’s position on factors the agencies are known to consider in their charging and settlement decisions.

During those presentations, companies often face experienced compliance specialists on the other side of the table because the agencies have continued to invest in their internal compliance expertise. For instance, in 2015, the DOJ retained a full-time compliance expert to assist prosecutors when evaluating corporate compliance programmes as part of enforcement actions. After the expert left in 2017, the DOJ changed course and eliminated the role.[64] Subsequently, in March 2021, the DOJ created a new group with responsibility for, among other things, assessing a company’s corporate compliance programme.[65]

With this additional expertise on the government side, companies would be well advised to make their compliance presentations concrete and practical and ensure they are supported by metrics and data. Enforcement officials pay particular attention to answers provided by companies during Filip Factors presentations, which can be a real sign of the effectiveness of compliance programmes.[66]

According to recent guidance provided by the DOJ,[67] companies preparing for compliance presentations should keep in mind some important points:

  • Companies making presentations ‘will face tough and probing’ questions. The government expects companies to ‘demonstrate how a compliance program has been upgraded to address the root cause of the misconduct, and how it is being tested and updated to ensure that it is sustainable and adaptable to changing risk’.[68]
  • The government expects active and meaningful participation from the company’s chief compliance officer (CCO), or equivalent position, who should be ‘leading the compliance presentation and demonstrating knowledge and ownership of the compliance program’.[69] The DOJ noted that the general counsel’s answering of a question that the DOJ posed to the CCO during a recent Filip Factors presentation demonstrated ‘literally and figuratively’ that the CCO had ‘no voice in that organization’.[70]
  • In addition to the CCO, other members of senior management are encouraged to participate in discussions, take ownership of their role in compliance and demonstrate ‘commitment to compliance’.[71]

In summary, enforcement authorities focus on evaluating compliance programmes throughout the enforcement life cycle. The government takes into consideration a company’s compliance structure and efforts when assessing any potential remediation credit, making charging decisions and determining continuing reporting obligations or the need for an external monitor. Companies and their key personnel are expected to demonstrate thoughtful and active engagement throughout the entire process.

Post-settlement compliance enforcement

US authorities’ compliance enforcement does not stop with a negotiated resolution. A standard negotiated agreement, whether a DPA or a non-prosecution agreement (NPA), even in the absence of an external monitor, sets out continuing obligations with respect to maintenance of an effective compliance programme.[72] There are two recent trends that point to the government’s increasing focus on enforcement of those commitments.

  • First, the DOJ now requires a certification from corporations’ CEOs and CCOs at the end of a DPA or NPA that the company’s compliance programme is ‘reasonably designed and implemented to detect and prevent violations of the law . . . and is functioning effectively’.[73] When this certification requirement was announced in March 2022, the insistence was that this step, rather than punitive, is intended to ‘empower’ CCOs by ensuring that they have data and access to ‘all relevant compliance-related information and can voice any concerns they may have prior to certification’.[74] It remains to be seen whether the DOJ will require this certification in every case or just in those that it views as egregious.
  • Second, the DOJ’s recently increased scrutiny of non-trial resolutions, and allegations of DPA breaches, further emphasise the importance of maintaining robust compliance programmes even after a settlement is reached.[75]

In March 2023, after breaching its 2019 DPA by violating its cooperation and disclosure provisions, Swedish telecommunications company Ericsson pleaded guilty to the two original counts of conspiracy to violate the anti-bribery and accounting provisions of the FCPA and agreed to pay an additional US$206 million penalty and to extend its monitorship by another year (i.e., until June 2024).[76] Ericsson’s DPA, as is standard in FCPA settlements, included an ongoing commitment to cooperate with continued investigations and to truthfully disclose information in response to DOJ inquiries, as well as to proactively report any newly uncovered evidence or allegations of FCPA violations during the DPA’s three-year term.[77]

The agreement provided that if the DOJ determined that Ericsson had breached the agreement by failing to uphold its obligations, the company could be subject to prosecution if its explanation was not satisfactory. The first breach involved the DOJ’s determination that Ericsson had failed to provide certain disclosures of relevant documents and factual information.[78] The second breach concerned insufficient disclosures made by Ericsson to the DOJ about its internal investigation into misconduct in Iraq.[79]

In a separate example, DOJ prosecutors found in March 2022 that Deutsche Bank had also violated its 2021 DPA arising from FCPA and market manipulation charges.[80] DOJ prosecutors determined that Deutsche Bank had violated its DPA by failing to timely disclose a whistleblower complaint regarding the bank’s investments in environmental, social and governance initiatives, which was discovered by the DOJ from media reports.[81] As a result of the breach, Deutsche Bank’s monitorship was extended for another year (i.e., until February 2023).[82]

Overall, these examples demonstrate unequivocally that successful compliance and remedial efforts must continue past the point of a resolution of a white-collar matter. As DOJ officials have publicly noted, DPAs and NPAs are not a ‘free pass’, and violation of their obligations carries significant risk of harsher enforcement.[83]


Enforcement history, government guidance and recent trends all point in the same direction: compliance is a critical aspect of corporate enforcement in the United States.

Compliance programmes affect every part of a company’s interactions with US enforcement authorities. Authorities expect proactive efforts by companies to implement tailored compliance programmes to address their main risks and prevent the types of misconduct most likely to occur in their businesses. For companies that find themselves subject to government inquiries, authorities closely evaluate compliance programme maturity during the course of their investigations and account for compliance enhancements when considering charging decisions, as well as – if deciding to proceed – the nature and structure of resolutions, the amount of penalties and the need for an external monitor. Further, because resolutions impose continuing obligations regarding maintenance and enhancement of compliance programmes, the emphasis on compliance does not stop with a negotiated resolution.

In short, as the government continues to warn, it pays to invest in compliance early.


[1] Kara Brockmeyer is a partner, Ivona Josipovic is a counsel and Andreas A Glimenakis and Berk Guler are associates at Debevoise & Plimpton LLP.

[2] See, e.g., Justice Manual (JM) § 9-28.800: ‘The Department encourages such corporate self-policing, including voluntary disclosures to the government of any problems that a corporation discovers on its own’.

[3] US Department of Justice (DOJ), ‘Deputy Attorney General Lisa O. Monaco Delivers Remarks on Corporate Criminal Enforcement’, 15 September 2022, (accessed 7 August 2023) (2022 Monaco Speech).

[4] DOJ, Criminal Division, ‘Evaluation of Corporate Compliance Programs’, updated March 2023 (ECCP); DOJ, Criminal Division and US Securities and Exchange Commission (SEC), Enforcement Division, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’, 2nd edn., July 2020 (FCPA Resource Guide), noting that ‘DOJ and SEC also consider the adequacy and effectiveness of a company’s compliance program at the time of the misconduct and at the time of the resolution when deciding what, if any action, to take’.

[5] JM, § 9-28.800, cmt.

[6] ECCP at 2. See Chapter 3 on ‘US Compliance Requirements’ for additional discussion.

[7] ECCP; DOJ, ‘Assistant Attorney General Kenneth A. Polite, Jr. Delivers Keynote at the ABA’s 38th Annual National Institute on White Collar Crime’, 3 March 2023, (accessed 7 August 2023) (2023 Polite Speech).

[8] 2022 Monaco Speech; DOJ, ‘Assistant Attorney General Kenneth A. Polite Jr. Delivers Remarks at NYU Law’s Program on Corporate Compliance and Enforcement (PCCE)’, 25 March 2022, (accessed 7 August 2023) (2022 Polite Speech), citing former Assistant Attorney General (AAG) Kenneth A Polite Jr, who noted that the government wants ‘to know more than dollars, headcount, and reporting lines’ and to see that ‘compliance officers have adequate access to and engagement with the business, management, and the board of directors’.

[9] FCPA Resource Guide at 56–57.

[10] SEC, Press Release No. 2023-92, ‘Dutch Medical Supplier Philips to Pay More Than $62 Million to Settle FCPA Charges’, 11 May 2023, (accessed 7 August 2023) (Philips Press Release).

[11] Order, In re Koninklijke Philips NV, Securities Exchange Act of 1934 Rel. No. 97479, Accounting and Auditing Enforcement Rel. No. 4406, Admin Proc. File No. 3-21411, 11 May 2023, ¶¶ 11, 13, (accessed 7 August 2023).

[12] ibid., ¶ 22.

[13] SEC, Press Release No. 2019-102, ‘Walmart Charged With FCPA Violations’, 20 June 2019, (accessed 7 August 2023) (Walmart Press Release).

[14] Order, In re KT Corporation, Securities Exchange Act of 1934 Rel. No. 94279, Admin. Proc. File No. 3-20780, 17 February 2022, (accessed 7 August 2023); SEC, Press Release No. 2022-30, ‘Largest South Korean Telecommunications Co. Agrees to Pay the SEC to Settle FCPA Charges’, 17 February 2022, (accessed 7 August 2023).

[15] Philips Press Release.

[16] Order, In re World Acceptance Corporation, Securities Exchange Act of 1934 Rel. No. 89489, Accounting and Auditing Enforcement Rel. No. 4158, Admin. Proc. File No. 3-19905, 6 August 2020, (accessed 7 August 2023).

[17] ibid., ¶ 14.

[18] Order, In re TechnipFMC plc, Securities Exchange Act of 1934 Rel. No. 87055, Accounting and Auditing Enforcement Rel. No. 4087, Admin. Proc. File No. 3-19493, 23 September 2019, (accessed 7 August 2023) (TechnipFMC Order). TechnipFMC also entered into a parallel resolution with the DOJ in relation to bribery schemes in Brazil and Iraq. See DOJ, Press Release No. 19-714, ‘TechnipFMC Plc and U.S.-Based Subsidiary Agree to Pay Over $296 Million in Global Penalties to Resolve Foreign Bribery Case’ (25 June 2019), (accessed 7 August 2023).

[19] TechnipFMC Order, ¶ 8.

[20] Walmart Press Release.

[21] Order, In re WPP plc, Securities Exchange Act of 1934 Rel. No. 93117, Accounting and Auditing Enforcement Rel. No. 4257, Admin. Proc. File No. 3-20595, 24 September 2021, (accessed 7 August 2023).

[22] ibid., ¶ 6.

[23] ibid., ¶ 7.

[24] Deferred Prosecution Agreement (DPA), United States of America v. Stericycle, Inc., Case No. 22-cr-20156-KMM, S.D. Fla. 18 April 2022, (accessed 7 August 2023) (Stericycle DPA); Order, In re Stericycle, Inc., Securities Exchange Act Release No. 94760, 20 April 2022, (accessed 7 August 2023) (Stericycle Order).

[25] Stericycle Order, ¶¶ 4–7.

[26] SEC, Press Release No. 2022-65, ‘SEC Charges Stericycle with Bribery Schemes in Latin America’, 20 April 2022, (accessed 7 August 2023) (Stericycle Press Release).

[27] DOJ, Memorandum from the Deputy Attorney General (Lisa O Monaco), ‘Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group’, 15 September 2022, (accessed 7 August 2023) (2022 Monaco Memorandum).

[28] JM § 9-47.120(4).

[29] DOJ, Criminal Division, Declination Letter from Fraud Section to Peter Spivack, ‘Re: Safran S.A.’, 21 December 2022, (accessed 7 August 2023).

[30] SEC, Press Release No. 2022-174, ‘SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures’, 27 September 2022, (accessed 7 August 2023); Commodity Futures Trading Commission, Release No. 8599-22, ‘CFTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods’, 27 September 2022, (accessed 7 August 2023).

[31] See, e.g., Order, In re Barclays Capital Inc., Securities Exchange Act of 1934 Rel. No. 95919, Admin. Proc. File No. 3-21164, 27 September 2022, (accessed 7 August 2023).

[32] See, e.g., DPA, Case No. 22-cr-00325-PJM, United States of America v. Gol Linhas Aereas Inteligentes S.A., D.Md. 16 September 2022, ¶ 31, (accessed 7 August 2023), citing communications between company personnel, an intermediary and a government official using text messages and US-based ephemeral messaging applications; DPA, United States of America v. Vitol Inc., Case No. 20-cr-539-ENV, E.D.N.Y. 3 December 2020, ¶¶ 29–30, (accessed 7 August 2023), citing instant messaging communications between company employees regarding communications with government official.

[33] DOJ, Memorandum from the Deputy Attorney General (Lisa O Monaco), ‘Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies’, 28 October 2021, (accessed 7 August 2023) (2021 Monaco Memorandum).

[34] In March 2023, the DOJ announced that companies are expected to produce communications from third-party messaging applications and that companies’ inability to access and produce those records – and unsatisfactory explanations regarding the reasons for that inability – ‘may very well affect the offer’ companies receive to resolve an investigation (2023 Polite Speech).

[35] JM § 9-28.300 (Filip Factors).

[36] ibid.

[37] The DOJ clarifies that the Filip Factors do not constitute an exhaustive list, and some factors may not apply to individual cases (ibid., cmt).

[38] JM § 9-28.800, cmt: ‘The existence of a corporate compliance program, even one that specifically prohibited the very conduct in question, does not absolve the corporation from criminal liability under the doctrine of respondeat superior.’

[39] ibid., citing United States v. Beusch, 596 F.2d 871, 878 (9th Cir. 1979).

[40] JM § 9-28.1000.

[41] JM § 9-47.120(3)(c).

[42] ibid.

[43] Stericycle Press Release.

[44] Stericycle DPA, ¶ 4(d); Stericycle Order, ¶¶ 27–28.

[45] United States Sentencing Commission, ‘Guidelines Manual 2021’.

[46] JM § 9-47.120.

[47] DOJ, ‘Assistant Attorney General Kenneth A. Polite, Jr. Delivers Remarks on Revisions to the Criminal Division’s Corporate Enforcement Policy’, 17 January 2023, (accessed 7 August 2023).

[48] JM § 9-47.120(2).

[49] ibid.

[50] JM § 9-47.120(5)(c).

[51] DPA, United States of America v. ABB Ltd., Case No. 22-cr-00220-MSN, E.D. Va. 2 December 2022, (accessed 7 August 2023) (ABB DPA); Order, In re ABB Ltd., Securities Exchange Act of 1934 Rel. No. 96444, Admin. Proc. File No. 3-21248, 3 December 2022, (accessed 7 August 2023).

[52] ABB DPA, at 4–5. Owing primarily to ABB’s recidivist status, the 25 per cent discount was applied off the mid-point between the middle and high ends of the Sentencing Guidelines range instead of the bottom end of the range.

[53] ibid. at 4.

[54] 2022 Polite Speech.

[55] ibid.

[56] 2021 Monaco Memorandum.

[57] 2022 Monaco Memorandum.

[58] ibid. at 12–13.

[59] FCPA Resource Guide at 74.

[60] 2021 Monaco Memorandum at 4.

[61] Stericycle DPA, ¶ 4.

[62] DOJ, Press Release No. 22-176, ‘Glencore Entered Guilty Pleas To Foreign Bribery And Market Manipulation Conspiracies’, 24 May 2022, (accessed 7 August 2023).

[63] In 2023, the DOJ launched its first pilot programme regarding compensation incentives and clawbacks, which requires companies resolving investigations to develop compliance-promoting criteria within their compensation systems in exchange for reducing their applicable criminal fines by the amount of compensation clawed back. See DOJ, Criminal Division, ‘The Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks’, 3 March 2023, (accessed 7 August 2023).

[64] Clara Hudson, ‘DOJ makes good on compliance hiring pledge’, Global Investigations Review, 2 March 2021, (accessed 7 August 2023). It was also recognised at the time by former AAG Brian Benczkowski that the consolidation of compliance expertise in a single person created ‘inherent limitations’.

[65] Dylan Tokar, ‘Justice Department’s Foreign Bribery Unit Adds Prosecutors, Compliance Expertise’, The Wall Street Journal, 8 March 2021, (accessed 7 August 2023).

[66] Adam Dobrik, ‘Andrew Weissmann: A key question in the Filip factors presentation’, Global Investigations Review, 23 May 2016, (accessed 7 August 2023).

[67] 2022 Polite Speech.

[68] ibid.

[69] ibid.

[70] Kyle Brasseur, ‘DOJ’s Kenneth Polite to CCOs: Tell me your compliance success stories’, Compliance Week, 17 May 2022, (accessed 7 August 2023).

[71] ibid.

[72] See, e.g., DPA, United States v. Herbalife Nutrition Ltd., Document 4-1, Letter to Patrick F Stokes et al., Case 1:20-cr-00443-GHW, Attachment C, 1 September 2020, (accessed 7 August 2023). Through Attachment C of a DPA, the company makes representations regarding its efforts to enhance and enforce its compliance policies and procedures. Attachment C also sets out the parameters of the required compliance programme and the company’s reporting obligations to the government.

[73] 2022 Polite Speech; Plea Agreement, United States v. Glencore International A.G., S.D.N.Y. 24 May 2022, ¶ 9, (accessed 7 August 2023).

[74] 2022 Polite Speech.

[75] ‘John Carlin on stepping up DOJ corporate enforcement’, Global Investigations Review, 11 October 2021, (accessed 7 August 2023).

[76] DOJ, Press Release No. 23-239, ‘Ericsson to Plead Guilty and Pay Over $206M Following Breach of 2019 FCPA Deferred Prosecution Agreement’, 2 March 2023, (accessed 7 August 2023); DPA, United States v. Telefonaktiebolaget LM Ericsson, Letter to Cheryl J Scarboro et al., 26 November 2019, (accessed 7 August 2023).

[77] ibid., ¶ 5.

[78] Telefonaktiebolaget LM Ericsson, Press Release, ‘Update on Deferred Prosecution Agreement’, 21 October 2021, (accessed 7 August 2023).

[79] Telefonaktiebolaget LM Ericsson, Press Release, ‘Update on Deferred Prosecution Agreement’, 2 March 2022, (accessed 7 August 2023).

[80] DPA, United States of America v. Deutsche Bank Aktiengesellschaft, Case No. 20-00584 (RPK) (RML), E.D.N.Y. 8 January 2021, (accessed 7 August 2023).

[81] Patricia Kowsmann, ‘Deutsche Bank Violates DOJ Settlement, Agrees to Extend Outside Monitor’, The Wall Street Journal, 11 March 2022, (accessed 7 August 2023).

[82] ibid.

[83] DOJ, ‘Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime’ (28 October 2021), (accessed 7 August 2023).

Unlock unlimited access to all Global Investigations Review content