Self-Reporting to the Authorities and Other Disclosure Obligations: The US Perspective

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

4.1 Introduction

There is typically no formal obligation in the United States to disclose potential wrongdoing to enforcement authorities; however, there can often be strategic advantages to doing so. Subjects of investigations may, in certain cases, avoid some of the most adverse consequences by self-reporting, including reduced penalties and more favourable settlement terms. Additionally, companies in certain regulated sectors may avoid debarment even where clear violations occurred. US regulators are incentivising companies to self-report by offering potential and meaningful co-operation credit for doing so. The Corporate Enforcement Policy of the US Department of Justice (DOJ), first announced in November 2017, updated and formalised the DOJ’s criteria for evaluating and rewarding self-disclosure and co-operation in cases relating to the Foreign Corrupt Practices Act (FCPA). Revisions in March and November 2019 broadened its application beyond the FCPA and clarified the DOJ’s expectations for securing credit. More recently, the Corporate Enforcement Policy has been incorporated into the second edition of A Resource Guide to the US Foreign Corrupt Practices Act, released by the DOJ and SEC in July 2020.[2]

Despite public perception to the contrary, the Trump administration appears committed to enforcing the FCPA, including a continued focus on self-reporting and multi-jurisdictional co-operation. Although the number of FCPA enforcement cases is down in 2020 owing to the covid-19 pandemic, in 2019 both the DOJ and SEC surpassed their 2018 enforcement activity, bringing a total of 54 FCPA enforcement actions and netting a combined $2.6 billion in monetary sanctions. In comparison, in 2018, the DOJ and SEC brought a total of 39 enforcement actions, and collected a combined US$2.2 billion in fines. The DOJ and SEC also entered into the two largest corporate FCPA resolutions to date, with Mobile TeleSystems PJSC and its Uzbek subsidiary agreeing to settle for US$850 million in March 2019[3] and Telefonaktiebolaget LM Ericsson agreeing to pay more than US$1 billion in December 2019.[4]

Moreover, US regulators have historically been receptive to parties reporting facts while preserving privilege during the co-operation and reporting process, and are specifically prohibited from making co-operation credit conditional on privilege waiver.

4.2 Mandatory self-reporting to authorities

Before considering a voluntary disclosure, it is important for at least two reasons to determine whether the company has any potential mandatory reporting obligation. First, mandatory reporting obligations often prescribe the recipient, form, timing and content of the disclosure. Second, the evaluation will be materially different if a mandatory report is required, even if that report is in another jurisdiction, given the clear commitment to sharing information between international regulators. In other words, if a company is required to self-report in at least one jurisdiction, it should consider voluntarily disclosing in others given the likelihood that the government agencies will share information.

Despite this, the DOJ announced a formal policy to avoid ‘piling on’ penalties that are duplicative for the same misconduct in May 2018, and elaborated on tit in the 2020 FCPA Resource Guide. Under the policy, various US enforcement agencies must coordinate with each other and with foreign government agencies when reaching settlements with corporations. The 2020 Resource Guide underscores its anti-piling on policy as part of the growing international effort to combat corruption. It includes, as an example, a declination awarded to a UK seismic event detection equipment company, which was subject to a parallel investigation by the Serious Fraud Office (SFO) for the same conduct and committed to accepting responsibility with the SFO.[5] However, the DOJ has warned that companies looking to benefit from the policy should self-disclose wrongdoing directly to the DOJ.[6]

4.2.1 Statutory and regulatory mandatory disclosure obligations

In the United States, most disclosure obligations originate in statute or regulations. Key examples include:

  • the Sarbanes-Oxley Act of 2002, which requires the disclosure of all information that has a material financial effect on a public company in periodic financial reports;
  • the US Bank Secrecy Act of 1970, which requires financial institutions to disclose certain suspicious transactions or currency transactions in excess of US$10,000;
  • the US Anti-Money Laundering Regulations, which require financial institutions to report actual or suspected money laundering under certain circumstances;[7]
  • state data breach regulations – 47 of 50 US states have laws requiring companies conducting business in the state to disclose data breaches involving personal information; and
  • the Anti-Kickback Enforcement Act of 1986, which requires government contractors to make a ‘timely notification’ of violations of federal criminal law or overpayments in connection with the award or performance of most federal government contracts or subcontracts, including those performed outside the United States.

4.2.2 Disclosure obligations under existing agreements with the government

In addition to statutory or regulatory-based mandatory disclosure requirements, companies must also evaluate whether they have any mandatory disclosure obligations under pre-existing agreements with the government. For example, if a company is subject to a deferred prosecution agreement (DPA) (or a corporate integrity agreement (CIA) in the healthcare sector), the agreement often contains self-reporting mandates for any subsequent violations. In many cases, these agreements may require the appointment of independent monitors. While DPAs, CIAs and similar agreements have been used frequently in the United States, other countries, including the United Kingdom, are also now increasingly using similar agreements to drive self-reporting and co-operation.

4.2.3 Other sources of mandatory disclosure obligations

Individuals and companies may also have mandatory disclosure obligations as a result of private contractual agreements as well as membership in professional bodies. Such disclosures between private parties may lead to a disclosure to a regulator by the receiving entity. For example, a subcontractor may be obliged by contract to report issues to the contracting party. That contracting party may subsequently determine that it is subject to its own reporting obligation or may choose to self-report to reduce any potential liability.

4.3 Voluntary self-reporting to authorities

Self-reporting and co-operation are important factors for both the DOJ and the US Securities and Exchange Commission (SEC) in deciding how to proceed with and resolve investigations and enforcement actions in cases involving corporations. Companies must carry out a fact-intensive and holistic inquiry in deciding whether to voluntarily self-report to US authorities. There is no one-size-fits-all approach to this analysis, but those contemplating voluntarily disclosing misconduct to US authorities should keep certain considerations in mind.

Key Considerations in Resolving Enforcement Actions
US Department of JusticeUS Securities and Exchange Commission
  • Self-disclosure and willingness to co-operate in the investigation
  • Disclosure of individuals substantially involved in or responsible for misconduct
  • Pervasiveness of wrongdoing within the corporation
  • Existence and effectiveness of a compliance programme
  • Meaningful remedial actions
  • Self-reporting and investigation of misconduct
  • Effective compliance procedures and appropriate tone at the top
  • Whether the case involves a potentially widespread industry practice
  • Whether the conduct is ongoing

4.3.1 Advantages of voluntarily self-reporting

The primary benefit to self-reporting is to secure potentially reduced penalties through co-operation credit and, moreover, to maintain control over the flow of information to regulators. In recent years, US regulators have become increasingly vocal about the benefits of self-disclosure and co-operation, with the DOJ even formalising those benefits, first, in its FCPA Pilot Program (Pilot Program),[8] and subsequently the Corporate Enforcement Policy. Yet, co-operation, which inevitably goes hand in hand with a voluntary disclosure, imposes significant demands on corporations and is not without meaningful risk. DOJ co-operation credit

To encourage self-reporting and co-operation, the DOJ has issued and subsequently revised guidance on the subject for many years. In June 1999, the DOJ issued the Principles of Federal Prosecution of Business Organizations, now known as the ‘Holder Memorandum’, to articulate and standardise the factors to be considered by federal prosecutors in making charging decisions against corporations.[9] The Holder Memorandum instructed DOJ prosecutors to consider as a factor in bringing charges whether a corporation has timely and voluntarily disclosed wrongdoing and whether it has been willing ‘to cooperate in the investigation of its agents’.[10] In 2008, the then-Deputy Attorney General, Mark R Filip, added language to the US Attorneys’ Manual, now titled the Justice Manual,[11] instructing prosecutors to consider ‘the corporation’s willingness to provide relevant information and evidence and identify relevant actors within and outside the corporation, including senior executives’ when assessing a corporation’s co-operation.[12] Mr Filip also outlined in his memorandum nine factors on which prosecutors base their corporate charging and resolution decisions, the so-called ‘Filip Factors’, incorporating some language from the Holder Memorandum (Filip Factor Four, a corporation’s ‘willingness to cooperate in the investigation of [its] agents’), and adding of Filip Factor Eight: ‘the adequacy of prosecution of individuals responsible for the corporation’s malfeasance’.[13]

The Yates Memorandum

Building on the Holder Memorandum, former Deputy Attorney General Sally Quillian Yates issued the Memorandum of Individual Accountability for Corporate Wrongdoing, now known as the ‘Yates Memorandum’, in September 2015.[14] The Yates Memorandum is still operative and outlines the ‘six key steps’ prosecutors should take in all investigations of corporate wrongdoing.[15] The most significant policy shift in the Yates Memorandum concerned the relationship between a company’s co-operation with respect to individual wrongdoers and the company’s eligibility for co-operation credit. Under the Yates Memorandum, the identification of responsible individuals became a ‘threshold requirement’ for receiving any co-operation credit consideration.[16] Ms Yates also emphasised that a failure to conduct a robust internal investigation is not an excuse, stating that ‘[c]ompanies may not pick and choose what facts to disclose’.[17] However, the revised Justice Manual clarifies that ‘[t]here may be circumstances where, despite its best efforts to conduct a thorough investigation, a company genuinely cannot get access to certain evidence or is actually prohibited from disclosing it to the government’.[18] Nevertheless, the Justice Manual is clear that in such cases ‘the company seeking cooperation will bear the burden of explaining the restrictions it is facing to the prosecutor’.[19] Consequently, thorough and properly scoped internal investigations are of critical importance.

On 29 November 2018, former Deputy Attorney General Rod Rosenstein delivered a speech to FCPA practitioners announcing a shift in the DOJ’s policy on co-operation credit and the scope of disclosure with respect to culpable individuals.[20] According to Rosenstein, the Yates Memorandum’s policy directing prosecutors to make co-operation credit dependent on the corporation’s disclosure of ‘every person involved in [the] alleged misconduct in any way, regardless of their role’ ‘impeded resolutions and wasted resources’. Investigations were delayed solely to collect information on low-level employees unlikely to be prosecuted. By contrast, under the new policy, a corporation is entitled to co-operation credit in criminal proceedings as long as it discloses ‘all relevant facts known to it at the time of the disclosure, including as to any individuals substantially involved in or responsible for the misconduct at issue’.[21] The DOJ will also use this standard to determine which corporations are entitled to full co-operation credit in the context of civil enforcement. In addition, corporations facing civil enforcement are now eligible for partial co-operation credit if, at the very least, they ‘identify all wrongdoing by senior officials’ and ‘meaningfully assist the government’s investigation’.[22] Finally, recognising that monetary recovery is the main objective of civil enforcement, the DOJ will once again let prosecutors ‘consider an individual’s ability to pay in deciding whether to pursue a civil judgment’ – with the hope that prosecutors will avoid targets ‘unlikely to yield any benefit’. Altogether, the new policy seeks to conserve ‘limited investigative resources’ while advancing traditional agency goals like deterrence and recovery and continuing to prioritise individual prosecution.

The Pilot Program and Corporate Enforcement Policy

In April 2016, the DOJ announced that it was launching a one-year Pilot Program to enhance its efforts to detect and prosecute individuals and companies for violations of the FCPA.[23] The Pilot Program, which incentivised voluntary self-disclosure of misconduct, was extended for an additional year on 10 March 2017. On 29 November 2017, former Deputy Attorney General Rod Rosenstein publicly applauded the Pilot Program as a ‘step forward in fighting corporate crime’ and announced that the DOJ would be incorporating a revised Corporate Enforcement Policy into the Justice Manual.[24] On 1 March 2018, the DOJ announced that it would apply the Corporate Enforcement Policy as non-binding guidance in criminal cases outside the FCPA context.[25] Moreover, the most substantial addition to the 2020 FCPA Resource Guide is a section incorporating the Corporate Enforcement Policy, underscoring the DOJ’s and SEC’s emphasis on voluntary self-disclosure, co-operation and remediation. In light of these developments, the Corporate Enforcement Policy provides valuable guidance to corporations as they investigate misconduct and contemplate voluntary disclosure.

The Corporate Enforcement Policy outlines factors that a company must meet to earn credit for voluntary self-disclosure. The disclosure (1) must occur prior to an imminent threat of disclosure or government investigation, (2) must be disclosed within a reasonably prompt time after the company becomes aware of the offence, and (3) must include all relevant facts known to the company at the time of disclosure, including all relevant facts about the individuals substantially involved in or responsible for the misconduct.[26] The November 2019 changes to the Corporate Enforcement Policy acknowledge the DOJ’s recognition, in a footnote, that ‘a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure.’ The Corporate Enforcement Policy also now requires the company to alert the DOJ of evidence of the misconduct when it becomes aware of it, whereas, previously, where the company was or should have been aware of opportunities for the DOJ to obtain evidence not in the company’s possession, it had to identify those opportunities to the DOJ in order to receive full co-operation credit.

The Corporate Enforcement Policy also contains specific guidance on the steps a company must take to earn full co-operation credit and to provide timely and appropriate remediation, consistent with the Yates Memorandum and the Justice Manual’s Sentencing Guidelines. The exact level of co-operation credit available to a corporation will vary based on the investigation. It is possible for a corporation to earn full credit under the US Sentencing Guidelines but not earn additional credit under the Corporate Enforcement Policy.[27] Moreover, the DOJ has shown itself willing to assign different levels of co-operation credit for different investigations into the same company. For example, in June 2019, the DOJ entered an NPA with Walmart, resolving investigations into Walmart’s alleged corrupt activity in four countries: Brazil, China, India and Mexico. Although the NPA covered conduct in all four countries, and the company received full credit for its co-operation with the DOJ in the first three investigations, with respect to the Mexico investigation, Walmart received only partial credit due to its failure to timely provide certain documents and ‘deconflict’ in response to a witness interview request.

Compared with the Pilot Program, the Corporate Enforcement Policy enhances the benefits available to a company that satisfies all the requirements for voluntary self-disclosure, co-operation and remediation. Under both programmes, companies that fully co-operate with DOJ investigations and implement appropriate remediation in FCPA matters, but that do not voluntarily self-disclose, will be eligible for limited credit, at most a 25 per cent reduction off the bottom of the Sentencing Guidelines fine range. However, when a company has voluntarily self-disclosed, fully co-operated with the DOJ, and has timely and appropriately remediated, the Corporate Enforcement Policy creates a rebuttable presumption, which may be overcome by ‘aggravated circumstances’ related to the nature and seriousness of the offence, that the DOJ will grant a declination.[28] In contrast, the Pilot Program provided that the DOJ would ‘consider’ a declination for companies that met these requirements.[29] Under the Corporate Enforcement Policy, if the presumption is overcome and a criminal resolution is warranted, the DOJ will recommend a 50 per cent reduction off the low end of the Sentencing Guidelines fine range and generally will not require the appointment of a monitor if the company has, at the time of resolution, implemented an effective compliance programme.[30]

The DOJ issued seven public declinations under the Pilot Program and continues to decline prosecution under the Corporate Enforcement Policy.[31] Seven declinations have been issued under the Corporate Enforcement Policy at the time of writing, the most recent being in August 2020, when the DOJ declined to prosecute World Acceptance Corporation due to its voluntary self-disclosure, extensive co-operation and remediation, and disgorgement of US$17.8 million,[32] and in September 2019, when it issued a declination – in part for its prompt, voluntary disclosure of the misconduct – to Quad/Graphics,[33] which a week later agreed to disgorge approximately US$6.9 million of its ill-gotten gains to the SEC.[34]

All declination letters so far issued under the Corporate Enforcement Policy and Pilot Program have been publicly released by the DOJ. By publishing its rationale for issuing declinations, the DOJ has sought to provide ‘increased transparency as to [the] evaluation process’.[35] However, in a June 2019 speech to the American Bar Association, Deputy Assistant Attorney General Matt Miner announced that the DOJ would be open to keeping declinations private where public release is ‘neither necessary nor warranted’. Miner gave the example of a corporation that discovers inconsequential bribes in the context of an M&A transaction and self-discloses immediately – in such a case, the agency would be ‘open to discussion’ regarding public release. Nonetheless, Miner maintained that this decision will always remain in the agency’s discretion.

The following table compares several recent FCPA corporate resolutions under the Corporate Enforcement Policy, and the comparative credit for self-disclosure, co-operation and remediation.

Recent Resolutions under DOJ’s Corporate Enforcement Policy
World Acceptance Corporation (WAC)
BackgroundWAC’s Mexican subsidiary paid approximately US$4.1 million in bribes between 2010 and 2017 to obtain and retain business relating to its Préstamos Viva business line, which offered small loans to state and federal government employees.
Self-ReportWAC voluntarily self-disclosed to the DOJ upon learning of the misconduct.
and Remediation
WAC proactively co-operated with the DOJ, including provision of known relevant facts about the misconduct, and took steps to remediate, including by providing additional FCPA training as part of its compliance programme. WAC also separated from executives under whom the misconduct took place and discontinued its relationships with third parties involved in the misconduct.
ResultIn August 2020, the DOJ issued a declination letter, while the SEC issued a cease-and-desist order requiring WAC to pay disgorgement of US$17.8 million, prejudgment interest of US$1.9 million and a US$2 million civil fine.
Quad/Graphics Inc (Quad/Graphics)
BackgroundQuad/Graphics is a US-based digital and print marketing provider. Between 2011 and 2016, employees of Quad/Graphics’ Peruvian subsidiary paid or promised to pay over US$1 million to third-party intermediaries, in part, to pay bribes to Peruvian officials to secure printing contracts and minimise penalty and tax payments. Additionally, between 2010 and 2015, employees of Quad/Graphics’ Chinese subsidiary paid bribes to employees of state-owned companies to secure printing business in China.
Self-ReportQuad/Graphics voluntarily and promptly self-disclosed to the DOJ.
and Remediation
Quad/Graphics conducted an internal investigation, proactively co-operated with the DOJ, took steps to enhance its compliance programme and terminated relationships with employees and third parties involved in the misconduct.
ResultIn September 2019, the DOJ issued a declination letter and the SEC issued a cease and desist order requiring Quad/Graphics to disgorge US$6.9 million in profits, plus interest and pay a US$2 million civil penalty.
Telefonaktiebolaget LM Ericsson (Ericsson)
BackgroundEricsson is a multinational telecommunications company headquartered in Sweden. Ericsson admitted that between 2000 and 2016, it used third parties to make bribe payments to government officials or to manage off-the-books slush funds in Djibouti, China, Vietnam, Indonesia and Kuwait.
Self-ReportEricsson did not voluntarily self-report.
and Remediation
Ericsson did not receive full credit for co-operation and remediation because it did not disclose allegations of corruption with respect to two relevant matters, produced certain materials in an untimely manner, and did not fully remediate, including by failing to take adequate disciplinary measures with respect to certain employees involved in the misconduct.
ResultIn December 2019, Ericsson entered into a DPA with the DOJ and a related resolution with the SEC. Ericsson agreed to pay a criminal penalty of US$520.7 million and US$539.9 million in disgorgement of profits under its civil resolution with the SEC. The criminal penalty was reduced by 15 per cent off the applicable US Sentencing Guidelines range because Ericsson committed to further enhance its compliance programme and internal accounting controls. Ericsson’s Egyptian subsidiary pleaded guilty to conspiracy to violate the anti-bribery provisions of the FCPA. Ericsson also agreed to the imposition of an independent compliance monitor.
Mobile TeleSystems (MTS)
BackgroundMTS is a Russian telecommunications company in Russia and an issuer of publicly traded securities in the United States. MTS admitted that between 2004 and 2012, MTS and its Uzbek subsidiary paid approximately US$420 million in bribes to Gulnara Karimova, the daughter of the former president of Uzbekistan, who had influence over the Uzbek government body that regulated the telecoms industry. MTS admitted that the payments were made through shell companies, charities, sponsorships and inflated prices paid to purchase shares in a company Karimova owned.
Self-ReportMTS did not voluntarily self-report.
and Remediation
MTS did not receive full credit because its co-operation and remediation was lacking and not proactive.
ResultIn March 2019, MTS entered into a DPA with the DOJ, and its Uzbek subsidiary pleaded guilty to violating the FCPA. MTS agreed to pay a total criminal penalty of US$850 million. MTS also agreed to the imposition of a corporate monitor.

The Pilot Program and its codification as the Corporate Enforcement Policy has demonstrated the DOJ’s commitment to rewarding voluntary self-disclosure in FCPA enforcement, and by many accounts has been viewed as very successful.

Benczkowski Memorandum

As part of its ongoing effort to update and clarify its corporate enforcement policies, in October 2018, the DOJ issued new guidance on imposing corporate compliance monitors now known as the ‘Benczkowski Memorandum’.[36] The new policy supplements the 2008 ‘Morford Memorandum’, which outlined the principles on selection, scope and duration of monitorships, and supersedes the guidance contained in the 2009 ‘Breuer Memorandum’ on imposing corporate monitors. Former Assistant Attorney General Brian Benczkowski explained that the goal of the new guidance was to ‘further refine the factors that go into the determination of whether a monitor is needed, as well as clarify and refine the monitor selection process’.

Under the Benczkowski Memorandum, the potential benefits of employing a corporate monitor should be weighed against the cost of a monitor and its impact on the operations of the corporation. In making a determination to impose a corporate monitor, the DOJ will consider a number of factors, including the type of misconduct, the pervasiveness of the conduct and whether it involved senior management, the investments and improvements a company has made to its corporate compliance programme and internal controls, and whether those improvements have been tested to demonstrate that they would prevent or detect similar misconduct in the future. Other factors include whether remedial actions were taken against individuals involved, and the industry and geography in which the company operates and the nature of the company’s clientele. The Benczkowski Memorandum provides: ‘Where a corporation’s compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will not be necessary.’[37]

The guidelines are clearly intended to complement the goals articulated in the Corporate Enforcement Policy, giving companies greater incentives to self-disclose and co-operate with DOJ investigations of corporate wrongdoing. A key feature of the Benczkowski Memorandum is that companies can receive meaningful credit, namely avoiding a compliance monitor, by engaging in extensive remediation of their compliance programmes. SEC co-operation credit

Although it can be difficult to precisely quantify the benefit of co-operation with the SEC, the Commission will consider general principles of sentencing, especially general deterrence. In both public statements and in practice, the Commission has made clear that companies can receive significant leniency for full co-operation. During a speech on 9 May 2018, former SEC Enforcement Division Co-Director Steven Peikin emphasised the importance of co-operation, noting that the SEC would continue to provide ‘incentives to those who come forward and provide valuable information’ to the SEC.[38] Co-operation may influence the Commission’s decision whether to impose a civil monetary penalty.[39]

While the SEC has not entered into any non-prosecution agreements (NPAs) since 2016 and has only entered into three NPAs since their inception in 2010,[40] the SEC nevertheless signalled its continued commitment to using NPAs to reward co-operation through its proposed whistleblower rule amendments in 2018. Specifically, the proposed rule amendments would allow the SEC to make award payments to whistleblowers based on money collected as a result of DPAs and NPAs, to ‘ensure that whistleblowers are not disadvantaged because of the particular form of an action’ that the SEC or another regulator takes.[41] The SEC will, however, set a high bar before entering into an NPA in an FCPA enforcement action. With respect to NPAs entered into with Akamai Technologies, Inc and Nortek, Inc in 2016, Kara Brockmeyer, former Chief of the SEC Enforcement Division’s FCPA Unit, stated: ‘Akamai and Nortek each promptly tightened their internal controls after discovering the bribes and took swift remedial measures to eliminate the problems. They handled it the right way and got expeditious resolutions as a result.’[42]

4.4 Risks in voluntarily self-reporting

While self-disclosure can reap significant monetary benefits, a company must balance the potential risks against any potential benefit. Self-reporting can give rise to lengthy co-operation obligations and increased government scrutiny. As discussed above, the multi-jurisdictional nature of many ‘white-collar’ matters means that self-reporting may lead to enquiries from global regulators, differing resolutions and ongoing obligations.

Furthermore, the DOJ is likely to impose a stringent bar when evaluating the sufficiency of compliance programmes to determine whether the requirements of the Corporate Enforcement Policy are met or to otherwise reduce liability. On 1 June 2020, the DOJ published revised guidance on Evaluation of Corporate Compliance Programs[43] (the Guidance), first released in February 2017 and updated in April 2019. The Guidance is framed around three fundamental questions as to whether (1) the corporation’s compliance programme is well designed, (2) it is being applied earnestly and in good faith (i.e., whether it is adequately resourced and empowered to function effectively), and (3) it works in practice. The Guidance has since also been incorporated into the 2020 FCPA Resource Guide, which notes the DOJ’s position that ‘the truest measure of an effective compliance program is how it responds to misconduct’.

Although the content of the Guidance is largely familiar to practitioners, it does give a clearer picture of the DOJ’s current approach to corporate compliance. The Guidance underscores the DOJ’s focus on the operation, rather than the appearance, of corporate compliance programmes. The Guidance suggests that companies should expect to be asked detailed and challenging questions regarding the scope and effectiveness of their compliance programmes, both at the time of the offence and at the time of the charging decision and resolution. The Guidance emphasises the DOJ’s expectation that compliance programmes should be risk-based and tailored to the specific commercial realities of the company’s business, and that companies should continually reassess their risk profiles and the efficacy of their compliance programmes to ensure their programmes are fit to address evolving risks and trends. Moreover, the Guidance makes clear that the DOJ will enquire about the company’s culture of compliance at all levels of the business, including middle management as well as senior management, and whether the company’s compliance function has sufficient access to data across the business and makes use of data analytics to monitor and test policies, controls, and transactions. In the mergers and acquisitions context, the Guidance emphasises the need for pre-acquisition compliance due diligence as well as post-closing integration.

If a company’s compliance programme fails to withstand such scrutiny, it risks losing credit for the programme, paying higher penalties or even facing separate violations for inadequate internal controls. Taking these existing increasingly stringent co-operation standards into consideration, companies considering self-disclosure should carefully assess whether they can meet regulator expectations. If companies fall short, regulators may refuse co-operation credit and use the information obtained through the self-disclosure against the company.

4.5 Risks in choosing not to self-report

US regulators have warned that the potential downside of not self-reporting any violation could be significant where the matter is otherwise brought to their attention. In a 5 July 2018 press release announcing an NPA with a Hong Kong-based subsidiary of Credit Suisse Group to resolve an investigation into ‘princeling’ hiring by the bank, the DOJ noted certain steps the firm did not take that limited the amount of co-operation credit it received. Specifically, the bank did not receive voluntary disclosure credit and did not receive full co-operation credit because its ‘cooperation was reactive and not proactive’.[44] The DOJ made similar comments when it announced its resolution with MTS in March 2019.[45]

Consequently, companies should carefully consider the likelihood that the conduct will be discovered by other means. It is important to consider whether other industry players could affect the company’s position. Industry-wide trends may expose a company’s misconduct. If regulators undertake an industry-wide investigation into particular practices, which we have observed in recent years with pharmaceutical companies, medical device manufacturers and automobile companies, a company might be exposed by a competitor’s self-report or more passively through a third-party subpoena or any investigative demand.

Companies should also be sensitive to increasing whistleblower activity. Current or former employees are incentivised to report potential misconduct to US regulators, which has led to substantial recoveries for the government. The SEC’s whistleblower programme has been steadily active, with 113 individuals receiving approximately US$720 million between 2012 and November 2020.[46] Whistleblowers are eligible to receive awards between 10 per cent and 30 per cent of the money recovered if their ‘high-quality original information’ leads to enforcement actions in which the SEC orders at least US$1 million.[47] The programme continues to be a priority for the Commission. In October 2020, the SEC announced its largest whistleblower award to date, with a single whistleblower receiving over US$114 million.[48] It is therefore important that a company consider the real possibility that its conduct could be exposed by means other than voluntary self-disclosure, and the associated, often expensive, risks associated with not being the first to come forward. When deciding not to self-report, a company must ensure that the decision is appropriately considered and documented. If a company decides not to self-report and the government later enquires about the issue, the best defence is that the company conducted a thorough investigation, remediated the issue and had a reasonable basis for not self-reporting to the government. US regulators will look to a company’s board of directors to ensure the appropriate steps were taken.[49] The SEC has expressed that the board of directors must exercise oversight and set a strong ‘tone at the top’ emphasising the importance of compliance.


[1] Amanda Raad is a partner, Sean Seelinger is counsel, and Jaime Orloff Feeney and Zaneta Wykowska are associates at Ropes & Gray LLP.

[2] US Dep’t of Justice and US Sec. & Exch. Comm’n, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (2d ed. 2020),

[3] See ‘Mobile TeleSystems PJSC and Its Uzbek Subsidiary Enter into Resolutions of $850 Million with the Department of Justice for Paying Bribes in Uzbekistan’, available at

[4] See ‘Ericsson Agrees to Pay Over $1 Billion to Resolve FCPA Case’, available at

[5] 2020 FCPA Resource Guide, 52-53.

[6] When announcing the policy, former Deputy Attorney General Rod Rosenstein specifically remarked that the DOJ ‘will not look kindly on companies that come to [the DOJ] after making inadequate disclosures to secure lenient penalties with other agencies or foreign governments. In those instances, the Department will act without hesitation to fully vindicate the interests of the United States’. Rod J. Rosenstein, Deputy Att’y Gen., Dep’t of Justice, Remarks to the New York City Bar White Collar Crime Institute (9 May 2018), available at

[7] See, e.g., 31 U.S.C. 5318(g).

[8] For more details, see ‘The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance’, available at (FCPA Enforcement Plan and Guidance).

[9] Memorandum from Eric Holder, Deputy Att’y Gen., Dep’t of Justice, on Bringing Criminal Charges Against Corps. to Dep’t Component Heads and U.S. Attorneys (16 June 1999), available at

[10] Id. at 3 (listing eight factors prosecutors should consider in deciding whether to bring charges against corporations that include ‘[t]he corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents . . . .’).

[11] US Dep’t of Justice, Justice Manual §§ 9-28.000.

[12] Id. §§ 9-28.700 – Value of Cooperation.

[13] Memorandum from Mark Filip, Deputy Att’y Gen. Dept’ of Justice, Principles of Federal Prosecution of Business Organizations (28 August 2008), available at, at 4.

[14] Memorandum from Sally Quillian Yates, Deputy Att’y Gen., Dep’t of Justice, Individual Accountability for Corporate Wrongdoing (9 September 2015), available at, at 3. (Yates Memorandum).

[15] The DOJ revised the section of the Justice Manual titled ‘Principles of Federal Prosecution of Business Organizations’ in November 2015 to reflect these steps.

[16] Justice Manual § 9-28.700 (2015).

[17] Yates Memorandum at 3.

[18] Justice Manual § 9-28.700.

[20] Rod J. Rosenstein, Deputy Att’y Gen., Dep’t of Justice, Remarks at the American Conference Institute’s 35th International Conference on the Foreign Corrupt Practices Act (29 November 2018),

[21] See FCPA Corporate Enforcement Policy, Dep’t of Justice, Justice Manual, §9-47.120, available at (Corporate Enforcement Policy) (emphasis added).

[22] Note 17, above.

[23] See FCPA Enforcement Plan and Guidance.

[24] See Corporate Enforcement Policy.

[25] See Jody Godoy, ‘DOJ Expands Leniency Beyond FCPA, Lets Barclays Off’, Law360, 1 March 2018,

[26] Corporate Enforcement Policy.

[27] The DOJ evaluated corporate co-operation in this manner when reaching its DPA with Mobile TeleSystems in February 2019. See

[28] Corporate Enforcement Policy at § 1. ‘Aggravating circumstances that may warrant a criminal resolution include, but are not limited to, involvement by executive management of the company in the misconduct; a significant profit to the company from the misconduct; pervasiveness of the misconduct within the company; and criminal recidivism.’

[29] FCPA Enforcement Plan and Guidance, at 8–9.

[30] Corporate Enforcement Policy at § 1. The Enforcement Policy provides specific guidance on the criteria for evaluating a corporate compliance programme, while also noting that the criteria may vary based on the size and resources of an organisation. Factors listed in the policy include culture of compliance, compliance resources, the quality and experience of compliance resources, independence and authority of the compliance function, effective risk assessments and risk-based approach, compensation and promotion of compliance employees, compliance-related auditing, and compliance reporting structure.

[35] Matt Miner, Deputy Assistant Att’y Gen., Dep’t of Justice, Remarks at The American Bar Association, Criminal Justice Section Third Global White Collar Crime Institute Conference (27 June 2019),

[36] Memorandum from Brian A. Benczkowski, Assistant Att’y Gen., Dep’t of Justice, (11 October 2018), Selection of Monitors in Criminal Division Matters, available at (Benczkowski Memorandum); ‘Assistant Attorney General Brian A. Benczkowski Delivers Remarks at NYU School of Law Program on Corporate Compliance and Enforcement Conference on Achieving Effective Compliance’, available at

[37] Benczkowski Memorandum at 2.

[38] See ‘Keynote Address at the New York City Bar Association’s 7th Annual White Collar Crime Institute’, available at

[39] In its November 2018 resolution with Vantage Drilling International, the SEC cited co-operation and financial condition as its basis for not imposing a fine. See

[40] The SEC announced its first NPA in an FCPA case in 2013, when it entered into an NPA with Ralph Lauren Corporation relating to bribes paid to government officials in Argentina. See ‘SEC Announces Non-Prosecution Agreement With Ralph Lauren Corporation Involving FCPA Misconduct’, available at The SEC announced its second and third NPAs on 7 June 2016. See ‘SEC Announces Two Non-Prosecution Agreements in FCPA Cases’, available at

[41] See ‘SEC Proposes Whistleblower Rule Amendments’, available at The SEC Chairman, Jay Clayton, indefinitely cancelled the SEC’s meeting to vote on the proposed rule changes, which had been scheduled for 23 October 2019, because of strong opposition to other provisions in the proposed amendments.

[42] See ‘SEC Announces Two Non-Prosecution Agreements in FCPA Cases’, available at

[43] US Dep’t of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (updated June 2020), available at

[44] See ‘Credit Suisse’s Investment Bank in Hong Kong Agrees to Pay $47 Million Criminal Penalty for Corrupt Hiring Scheme that Violated the FCPA’, available at

[45] See ‘Mobile TeleSystems PJSC and Its Uzbek Subsidiary Enter into Resolutions of $850 Million with the Department of Justice for Paying Bribes in Uzbekistan’,

[46] See ‘SEC Awards Over $1.1 Million to Whistleblower for Independent Analysis’, available at

[47] More information is available at the SEC’s ‘Office of the Whistleblower’ site at

[48] See ‘SEC Issues Record $114 Million Whistleblower Award’, available at

[49] Notification of the board of directors is often required under federal securities law. Section 307 of the Sarbanes-Oxley Act of 2002 requires that an attorney report evidence of a material violation of securities laws or breach of fiduciary duty by the company or any agent ‘up-the-ladder’ (i.e., first to the chief legal officer or CEO and, thereafter, if appropriate remedial measures are not taken, to the audit committee of the board or other board committee comprised solely of non-employee directors). Wherever possible, it is best to engage the board’s disclosure counsel to assist in making this determination.

Unlock unlimited access to all Global Investigations Review content