Self-Reporting to the Authorities and Other Disclosure Obligations: The US Perspective

4.1 Introduction

There is typically no formal obligation in the United States to disclose potential wrongdoing to enforcement authorities; however, there can often be strategic advantages to doing so. Subjects of investigations may, in certain cases, avoid some of the most adverse consequences by self-reporting, including reduced penalties and more favourable settlement terms. Additionally, companies in certain regulated sectors may avoid debarment even where clear violations occurred. US regulators are incentivising companies to self-report by offering potential and meaningful co-operation credit for doing so. The Corporate Enforcement Policy of the US Department of Justice (DOJ), first announced in November 2017, updated and formalised the DOJ’s criteria for evaluating and rewarding self-disclosure and co-operation in cases relating to the Foreign Corrupt Practices Act (FCPA). Revisions in March and November 2019 broadened its application beyond the FCPA and clarified the DOJ’s expectations for securing credit. The Corporate Enforcement Policy has been incorporated into the second edition of ‘A Resource Guide to the US Foreign Corrupt Practices Act’ (2020 FCPA Resource Guide), released by the DOJ and the US Securities and Exchange Commission (SEC) in July 2020.^[2] Revisions to the Corporate Enforcement Policy in October 2021 subsequently directed DOJ prosecutors to consider a corporation’s ‘entire record of past misconduct’, reinstated previous guidance that corporations disclose ‘all relevant facts relating to the individuals responsible for the misconduct’, and established a Corporate Crime Advisory Group.^[3] With input from the Corporate Crime Advisory Group, the Corporate Enforcement Policy has been revised again as of 15 September 2022, including with respect to the issues addressed in the October 2021 Monaco Memorandum and the timing of voluntary self-disclosure, among other things.^[4]

4.2 Mandatory self-reporting to authorities

Before considering a voluntary disclosure, it is important for at least two reasons to determine whether the company has a mandatory reporting obligation. First, mandatory reporting obligations often prescribe the recipient, form, timing and content of the disclosure. Second, the evaluation will be materially different if a mandatory report is required, even if that report is in another jurisdiction, given the clear commitment to sharing information between international regulators. In other words, if a company is required to self-report in at least one jurisdiction, it should consider voluntarily disclosing in others given the likelihood that the government agencies will share information.

Despite this, the DOJ has adopted a formal policy to avoid ‘piling on’ duplicative penalties for the same misconduct. Under the policy, various US enforcement agencies must coordinate with each other and with foreign government agencies when reaching settlements with corporations. The 2020 FCPA Resource Guide underscores this anti-piling on policy as part of the growing international effort to combat corruption. It includes, as an example, a declination awarded to a UK seismic event detection equipment company, which was subject to a parallel investigation by the Serious Fraud Office (SFO) for the same conduct and committed to accepting responsibility with the SFO.^[5] However, the DOJ has warned that companies looking to benefit from the policy should self-disclose wrongdoing directly to the DOJ.^[6]

4.2.1 Statutory and regulatory mandatory disclosure obligations

In the United States, most disclosure obligations originate in statute or regulations. Key examples include:

• the Sarbanes-Oxley Act of 2002, which requires the disclosure of all information that has a material financial effect on a public company in periodic financial reports;
• the US Bank Secrecy Act of 1970, which requires financial institutions to disclose certain suspicious transactions or currency transactions in excess of US$10,000 and to report actual or suspected money laundering in certain circumstances;^[7]
• the Anti-Kickback Enforcement Act of 1986, which requires government contractors to make a ‘timely notification’ of violations of federal criminal law or overpayments in connection with the award or performance of most federal government contracts or subcontracts, including those performed outside the United States; and
• state data breach regulations – all 50 US states have laws requiring companies conducting business in the state to disclose data breaches involving personal information.^[8]

4.2.2 Disclosure obligations under agreements with the government

In addition to statutory or regulatory-based mandatory disclosure requirements, companies must also evaluate whether they have any mandatory disclosure obligations under pre-existing agreements with the government. For example, if a company is subject to a deferred prosecution agreement (DPA) (or a corporate integrity agreement (CIA) in the healthcare sector), the agreement often contains self-reporting mandates for any subsequent violations. In some cases, these agreements may require the appointment of independent monitors. DPAs, CIAs and similar agreements have been used frequently in the United States.

4.2.3 Other sources of mandatory disclosure obligations

Individuals and companies may also have mandatory disclosure obligations as a result of private contractual agreements as well as membership in professional bodies. Such disclosures between private parties may lead to a disclosure to a regulator by the receiving entity. For example, a subcontractor may be obliged by contract to report issues to the contracting party. That contracting party may subsequently determine that it is subject to its own reporting obligation (such as reporting obligations under securities regulations) or may choose to self-report to reduce any potential liability.

4.3 Voluntary self-reporting to authorities

Self-reporting and co-operation are important factors for both the DOJ and the SEC in deciding how to proceed with, and resolve investigations and enforcement actions in, cases involving corporations. Companies must carry out a fact-intensive and holistic inquiry in deciding whether to voluntarily self-report to US authorities. There is no one-size-fits-all approach to this analysis, but those contemplating voluntarily disclosing misconduct to US authorities should keep certain considerations in mind, including factors the DOJ and SEC weigh in assessing co-operation credit, such as the timing of the disclosure.

4.3.1 Advantages of voluntarily self-reporting

The primary benefit to self-reporting is to secure potentially reduced penalties through co-operation credit and, moreover, to maintain control over the flow of information to regulators. In recent years, US regulators have become increasingly vocal about the benefits of self-disclosure and co-operation, with the DOJ even formalising those benefits in its FCPA Pilot Program (Pilot Program)^[11] and the Corporate Enforcement Policy and making public pronouncements that DOJ policies are intended to be both transparent and ensure corporations benefit from voluntary self-disclosure.^[12] Yet, co-operation, which often goes hand in hand with a voluntary disclosure, imposes significant demands on corporations and is not without meaningful risk.

4.3.1.1 DOJ co-operation credit

To encourage self-reporting and co-operation, the DOJ has issued, and regularly revised, guidance on the subject for many years. In June 1999, the then Deputy Attorney General Eric Holder issued the Principles of Federal Prosecution of Business Organizations, now known as the ‘Holder Memorandum’, to articulate and standardise the factors to be considered by federal prosecutors in making charging decisions against corporations.^[13] The Holder Memorandum instructed DOJ prosecutors to consider as a factor in bringing charges whether a corporation has timely and voluntarily disclosed wrongdoing and whether it has been willing ‘to cooperate in the investigation of its agents’.^[14] In 2008, the then Deputy Attorney General Mark R Filip added language to the US Attorneys’ Manual, now titled the Justice Manual,^[15] instructing prosecutors to consider ‘the corporation’s willingness to provide relevant information and evidence and identify relevant actors within and outside the corporation, including senior executives’, when assessing a corporation’s co-operation.^[16] Mr Filip also outlined in his memorandum nine factors on which prosecutors should base their corporate charging and resolution decisions, the ‘Filip Factors’, which now comprise 11 factors and are listed in the Justice Manual.^[17]

The Yates Memorandum

Building on the Holder Memorandum and the Filip Factors, the then Deputy Attorney General Sally Quillian Yates issued the Memorandum of Individual Accountability for Corporate Wrongdoing in September 2015, known as the ‘Yates Memorandum’. This outlines the ‘six key steps’ prosecutors should take in all investigations of corporate wrongdoing. The most significant policy shift in the Yates Memorandum concerned the relationship between a company’s co-operation with respect to individual wrongdoers and the company’s eligibility for co-operation credit. Under the Yates Memorandum, the identification of responsible individuals became a ‘threshold requirement’ for receiving any co-operation credit consideration. Ms Yates also emphasised that a failure to conduct a robust internal investigation is not an excuse, stating that companies ‘may not pick and choose what facts to disclose’.

Former Deputy Attorney General Rod Rosenstein announced a shift in the DOJ’s policy in 2018. Under the revised policy, a corporation was entitled to co-operation credit in criminal proceedings as long as it disclosed ‘all relevant facts known to it at the time of the disclosure, including as to any individuals substantially involved in or responsible for the misconduct at issue’.^[18] On 28 October 2021, however, Deputy Attorney General Lisa Monaco announced that the DOJ was reverting to the original formulation in the Yates Memorandum. Specifically, Ms Monaco stated that to receive co-operation credit, ‘companies must provide the department with all non-privileged information about individuals involved in or responsible for the misconduct at issue’, regardless of position, status or seniority – a stance also included in the October 2021 Monaco Memorandum.^[19]

On 15 September 2022, Ms Monaco announced additional revisions to the DOJ’s enforcement policies for corporations. The revisions described in the September 2022 Monaco Memorandum provide additional guidance regarding both the DOJ’s priority to hold accountable individuals who commit and profit from corporate crime as well as voluntary self-reporting by corporations, among other things.^[20] Expanding on the Yates Memorandum, the revisions make clear that the timing of disclosures made to the DOJ is of critical importance: ‘to receive full cooperation credit, corporations must produce on a timely basis all relevant, non-privileged facts and evidence about individual misconduct such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals’.^[21] The revisions also suggest, absent more specific guidance from prosecutors, that corporations prioritise ‘production of evidence to the government that is most relevant for assessing individual culpability’. Principal Associate Deputy Attorney General Marshall Miller reiterated that timely disclosure is critical in a keynote address just a few days later, on 20 September 2022, specifically noting that the DOJ ‘will expect cooperating companies to produce hot documents or evidence in real time’, that corporate co-operation ‘will be evaluated with timeliness as a principal factor’, and that undue or intentional delay in document production relating to individual culpability ‘will result in reduction or denial of co­operation credit’.^[22]

With respect to voluntary self-reporting, the September 2022 Monaco Memorandum also re-emphasises the DOJ’s continued desire to encourage corporations to self-report. For example, the memorandum makes clear that timely voluntary self-disclosures can ‘reflect that a corporation is appropriately working to detect misconduct and takes seriously its responsibility to instill and act upon a culture of compliance’ and directs prosecutors to credit timely, voluntary self-disclosures appropriately.^[23] The memorandum also directed all of the DOJ’s components to review (or establish) and publicly share written policies for corporate voluntary self-disclosures – including as to their timing, the need for timely preservation and production of documents and information, what information should be provided in them, and the specific benefits a corporation may expect to receive if they meet the standards for self-disclosure.^[24] These written policies must adhere to two core principles expressed in the September 2022 Monaco Memorandum: (1) the DOJ will not seek a guilty plea from a corporation that has ‘voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated the criminal conduct’ absent specified ‘aggravating factors’, and (2) the DOJ will not require an independent compliance monitor for a co-operating corporation that voluntarily self-discloses if, at the time of resolution, the corporation shows it has implemented and tested an effective compliance programme. Less than one week later, the Miller Keynote Address reinforced the point by citing several examples of instances where voluntary self-disclosure drove different resolutions, including, for example, investigations into criminal price-fixing in the canned tuna market that resulted in Bumble Bee Foods pleading guilty and paying a US$25 million fine, and StarKist pleading guilty and paying a statutory maximum US$100 million fine, while another company that voluntarily self-reported was not prosecuted and paid no fine.^[25]

The Justice Manual also continues to specify that ‘[t]here may be circumstances where, despite its best efforts to conduct a thorough investigation, a company genuinely cannot get access to certain evidence or is legally prohibited from disclosing it to the government’.^[26] Nevertheless, the Justice Manual is clear that in such cases, ‘the company seeking cooperation will bear the burden of explaining the restrictions it is facing to the prosecutor’. Consequently, thorough and properly scoped internal investigations are of critical importance.

The Corporate Enforcement Policy

In November 2017, the DOJ announced that it would be incorporating its Corporate Enforcement Policy to incentivise voluntary self-disclosure of misconduct into the Justice Manual, following on from a successful Pilot Program in 2016.^[27] On 1 March 2018, the DOJ announced that it would apply the Corporate Enforcement Policy as non-binding guidance in criminal cases outside the FCPA context.^[28] Moreover, the most substantial addition to the 2020 FCPA Resource Guide is a section incorporating the Corporate Enforcement Policy, underscoring the DOJ’s and SEC’s emphasis on voluntary self-disclosure, co-operation and remediation. In light of these developments, the Corporate Enforcement Policy provides valuable guidance to corporations as they investigate misconduct and contemplate voluntary disclosure.^[29]

The Corporate Enforcement Policy outlines the requirements for a company to earn credit for voluntary self-disclosure. The disclosure must (1) occur prior to an imminent threat of disclosure or government investigation, (2) be disclosed within a reasonably prompt time after the company becomes aware of the offence and (3) include all relevant facts known to the company at the time of disclosure, including all relevant facts about the individuals substantially involved in, or responsible for, the misconduct.^[30] The November 2019 changes to the Corporate Enforcement Policy acknowledge the DOJ’s recognition, in a footnote, that ‘a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure’. The Corporate Enforcement Policy also now requires the company to alert the DOJ to evidence of the misconduct when it becomes aware of it, whereas, previously, where the company was or should have been aware of opportunities for the DOJ to obtain evidence not in the company’s possession, it had to identify those opportunities to the DOJ to receive full co-operation credit.

In addition, the Corporate Enforcement Policy contains specific guidance on the steps a company must take to earn full co-operation credit and to provide timely and appropriate remediation, consistent with the Yates Memorandum, the October 2021 Monaco Memorandum, the September 2022 Monaco Memorandum and the Justice Manual’s Sentencing Guidelines. The exact level of co-operation credit available to a corporation will vary based on the investigation. It is possible for a corporation to earn full credit under the US Sentencing Guidelines but not earn additional credit under the Corporate Enforcement Policy.^[31]

The Corporate Enforcement Policy provides benefits to a company that satisfies all the requirements for voluntary self-disclosure, co-operation and remediation. Companies that fully co-operate with DOJ investigations and implement appropriate remediation in FCPA matters, but that do not voluntarily self-disclose, will be eligible for limited credit, at most a 25 per cent reduction off the bottom of the Sentencing Guidelines fine range. However, when a company has voluntarily self-disclosed, fully co-operated with the DOJ, and timely and appropriately remediated, the Corporate Enforcement Policy creates a rebuttable presumption, which may be overcome by ‘aggravated circumstances’ related to the nature and seriousness of the offence, that the DOJ will grant a declination.^[32] Under the Corporate Enforcement Policy, if the presumption is overcome and a criminal resolution is warranted, the DOJ will recommend a 50 per cent reduction off the low end of the Sentencing Guidelines fine range and generally will not require the appointment of a monitor if the company has, at the time of resolution, implemented an effective compliance programme.^[33]

By publishing its rationale for issuing declinations, the DOJ has sought to provide ‘increased transparency as to [the] evaluation process’.^[34] However, in a June 2019 speech to the American Bar Association, former Deputy Assistant Attorney General Matt Miner announced that the DOJ would be open to keeping declinations private where public release is ‘neither necessary nor warranted’. Miner gave the example of a corporation that discovers inconsequential bribes in an M&A transaction and self-discloses immediately – in such a case, the agency would be ‘open to discussion’ regarding publicly releasing the declination. Nonetheless, Miner maintained that this decision will always remain in the agency’s discretion. There are also instances in which it is possible to infer that a declination may have occurred, including when relatively isolated misconduct is self-reported. For instance, in 2018, CHS Inc announced in a securities filing that it voluntarily self-disclosed potential FCPA violations in connection with a small number of reimbursements made to Mexican customs agents.^[35]

Since 2016, the DOJ has issued 15 public declinations under the Corporate Enforcement Policy and the earlier Pilot Program, most recently in March 2022.^[36] Although there have been relatively few FCPA corporate resolutions in immediate years, recent resolutions demonstrate the DOJ is applying self-disclosure, co-operation and remediation credit as part of the Corporate Enforcement Policy. For example, in August 2020, the DOJ issued a declination letter in connection with its investigation into World Acceptance Corporation (WAC) despite allegations of bribes paid by employees of WAC and its Mexican subsidiary to union and state government officials between 2010 and 2017.^[37] WAC made a voluntary self-disclosure to the DOJ on learning of the conduct; proactively co-operated with the DOJ, including provision of known relevant facts about the misconduct; and took steps to remediate, including by providing additional FCPA training as part of its compliance programme, by dismissing executives under whom the misconduct took place, and by discontinuing its relationships with third parties involved in the misconduct. Similarly, in September 2019, the DOJ issued a declination letter to Quad/Graphics Inc despite allegations of bribes paid by employees of its Peruvian subsidiary between 2011 and 2016, citing its prompt, voluntary self-disclosure of the misconduct; thorough and comprehensive investigation; full and proactive co-operation, including provision of all relevant facts about the misconduct; its agreement to co-operate in the DOJ’s continuing investigation and prosecutions; its full remediation through strengthening its compliance programme and terminating both employees and its relationships with third parties involved in the misconduct; and an agreement to disgorge any ill-gotten gains to the SEC, among other things.^[38]

The Corporate Enforcement Policy and the Pilot Program before it have demonstrated the DOJ’s commitment to rewarding voluntary self-disclosure in FCPA enforcement, and by many accounts have been viewed as very successful.

Benczkowski Memorandum

As part of the DOJ’s ongoing effort to update and clarify its corporate enforcement policies, in October 2018, the then Assistant Attorney General Brian Benczkowski issued new guidance on imposing corporate compliance monitors, which is now known as the ‘Benczkowski Memorandum’.^[39] The guidance supplemented the 2008 ‘Morford Memorandum’, which outlined the principles on selection, scope and duration of monitorships, and supersedes the guidance contained in the 2009 ‘Breuer Memorandum’ on imposing corporate monitors. Former Assistant Attorney General Brian Benczkowski explained that the goal of the new guidance was to ‘further refine the factors that go into the determination of whether a monitor is needed, as well as clarify and refine the monitor selection process’.

Under the Benczkowski Memorandum, the potential benefits of employing a corporate monitor should be weighed against the cost of a monitor and its impact on the operations of the corporation. In making a determination to impose a corporate monitor, the DOJ will consider a number of factors, including the type of misconduct, the pervasiveness of the conduct and whether it involved senior management, the investments and improvements a company has made to its corporate compliance programme and internal controls, and whether those improvements have been tested to demonstrate that they would prevent or detect similar misconduct in the future. Other factors include whether remedial actions were taken against individuals involved, and the industry and geography in which the company operates and the nature of the company’s clientele. The Benczkowski Memorandum provides: ‘Where a corporation’s compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will not be necessary.’^[40]

A key feature of the Benczkowski Memorandum is that companies can receive meaningful credit, namely avoiding a compliance monitor, by engaging in extensive remediation of their compliance programmes. The DOJ imposed monitors in four enforcement actions in 2019, one in 2020, one in 2021, and, at the time of writing, one in 2022.^[41]

Monaco Memorandum

Deputy Attorney General Lisa Monaco’s remarks on 28 October 2021, given at the American Bar Association’s 36th National Institute on White Collar Crime, signalled that the DOJ may make more use of monitors going forward.^[42] Monaco made clear that the DOJ ‘is free to require the imposition of independent monitors whenever it is appropriate to do so in order to satisfy our prosecutors that a company is living up to its compliance and disclosure obligations’, and, to the extent that prior guidance suggested ‘that monitorships are disfavoured or are the exception’, that guidance is rescinded. The September 2022 Monaco Memorandum substantially expanded the DOJ’s guidance on the imposition of monitors. It explained that the DOJ will not impose a presumption for or against monitors, but rather will assess whether a monitor is appropriate case by case.^[43] Specifically, the memorandum sets forth 10 non-exclusive factors that prosecutors should consider when determining whether an independent compliance monitor is warranted, including whether the conduct was voluntarily self-disclosed, whether the conduct was pervasive and long-lasting, the remedial measures taken by the company, and the adequacy of the company’s compliance programme.^[44]

4.3.1.2 SEC co-operation credit

Although it can be difficult to precisely quantify the benefit of co-operation with the SEC, the SEC considers general principles of sentencing, especially general deterrence. In both public statements and in practice, the SEC has made clear that companies can receive significant leniency for full co-operation. During a speech on 9 May 2018, former Enforcement Division Co-Director Steven Peikin emphasised the importance of co-operation, noting that the SEC would continue to provide ‘incentives to those who come forward and provide valuable information’.^[45] In remarks made on 4 November 2021 – shortly after Deputy Attorney General Lisa Monaco’s remarks on 28 October 2021 – SEC Chairperson Gary Gensler expressed the SEC’s general agreement with Ms Monaco’s October 2021 remarks.^[46] Mr Gensler also made clear the SEC’s interest in corporate co-operation by stating, ‘[a]ll things being equal, if you work cooperatively to bring wrongdoing to light, you fare better than if you try to mask it’. Co-operation may influence the Commission’s decision whether to impose a civil monetary penalty.

While the SEC has not entered into any non-prosecution agreements (NPAs) since 2016 and has only entered into three since their inception in 2010,^[47] the SEC nevertheless signalled its continued commitment to using NPAs to reward co-operation through amendments, passed in September 2020, to the rules governing monetary awards to whistleblowers. Specifically, the amendments clarify the SEC’s ability to make award payments to whistleblowers based on money collected as a result of DPAs and NPAs entered into by the DOJ and SEC, to ‘ensure that whistleblowers are not disadvantaged because of the particular form of an action’ that the applicable authority takes.^[48] The SEC will, however, set a high bar before entering into an NPA in an FCPA enforcement action, if it does so again. With respect to NPAs entered into with Akamai Technologies and Nortek, in 2016, Kara Brockmeyer, the then Chief of the SEC Enforcement Division’s FCPA Unit, stated: ‘Akamai and Nortek each promptly tightened their internal controls after discovering the bribes and took swift remedial measures to eliminate the problems. They handled it the right way and got expeditious resolutions as a result.’^[49]

4.4 Risks in voluntarily self-reporting

While self-disclosure can reap significant monetary benefits, a company must balance the potential risks against any potential benefit. Self-reporting can give rise to lengthy and expensive co-operation obligations and increased government scrutiny. As discussed above, the multi-jurisdictional nature of many ‘white-collar’ matters means that self-reporting may lead to enquiries from global regulators, differing resolutions and ongoing obligations. Moreover, self-reporting may ultimately lead to enforcement action – regardless of whether the company ultimately receives credit for doing so. Even though self-reporting may reduce fines or penalties substantially and increase the likelihood of the company receiving a declination, NPA or DPA, it remains the case that reputational harms, investigation into other potential misconduct at the company, collateral litigation, shareholder suits and other collateral consequences may nonetheless result.

Compliance programmes

Companies self-reporting may need to demonstrate they have effective compliance programmes in place or establish them. Even for self-reporting companies, the DOJ is likely to impose a stringent bar when evaluating the sufficiency of compliance programmes to determine whether the requirements of the Corporate Enforcement Policy are met or to otherwise reduce liability. On 1 June 2020, the DOJ published revised guidance on Evaluation of Corporate Compliance Programs^[50] (the Guidance), first released in February 2017 and updated in April 2019. The Guidance is framed around three fundamental questions as to whether the corporation’s compliance programme (1) is well designed, (2) is being applied earnestly and in good faith (i.e., is adequately resourced and empowered to function effectively), and (3) works in practice. The Guidance has since also been incorporated into the 2020 FCPA Resource Guide, which notes the DOJ’s position that ‘the truest measure of an effective compliance program is how it responds to misconduct’. On 25 March 2022, Assistant Attorney General Kenneth A Polite Jr gave a speech providing additional colour about how the DOJ evaluates these requirements.^[51] In assessing design, the DOJ ‘closely examine[s] the company’s process for assessing risk’ to determine if it has implemented policies and procedures to address key risk areas, as well as the company’s processes for training and reporting violations of law. For resourcing, the DOJ wants to know ‘more than dollars, headcount, and reporting lines’, including the qualifications and expertise of compliance personnel and the stature of the compliance function. And for operation in practice, the DOJ will look at whether the company is ‘continually testing’ its compliance programme, identifying gaps and addressing root causes, and demonstrating an ethical culture in practice.

Although the content of the Guidance is largely familiar to practitioners, it does give a clearer picture of the DOJ’s current approach to corporate compliance. The Guidance underscores the DOJ’s focus on the operation, rather than the appearance, of corporate compliance programmes. The Guidance suggests that companies should expect to be asked detailed and challenging questions regarding the scope and effectiveness of their compliance programmes, both at the time of the offence and at the time of the charging decision and resolution. The Guidance emphasises the DOJ’s expectation that compliance programmes should be risk-based and tailored to the specific commercial realities of the company’s business, and that companies should continually reassess their risk profiles and the efficacy of their compliance programmes to ensure their programmes are fit to address evolving risks and trends. Moreover, the Guidance makes clear that the DOJ will enquire about the company’s culture of compliance at all levels of the business, including middle management as well as senior management, and whether the company’s compliance function has sufficient access to data across the business and makes use of data analytics to monitor and test policies, controls and transactions. In the mergers and acquisitions context, the Guidance emphasises the need for pre-acquisition compliance due diligence as well as post-closing integration.

If a company’s compliance programme fails to withstand such scrutiny, it risks losing credit for the programme, paying higher penalties or even facing separate violations for inadequate internal controls. Taking these existing increasingly stringent co-operation standards into consideration, companies considering self-disclosure should carefully assess whether they can meet regulator expectations. If companies fall short, regulators may refuse co-operation credit and use the information obtained through the self-disclosure against the company.

4.5 Risks in choosing not to self-report

US regulators have warned that the potential downside of not self-reporting any violation could be significant where the matter is otherwise brought to their attention. For example, in a March 2022 press release announcing a guilty plea and a US$700 million FCPA settlement with Glencore International AG (Glencore) and Glencore Ltd to resolve allegations of bribing officials in a number of countries, the DOJ noted that Glencore did not timely disclose the conduct that triggered the investigation, and it did not receive full co-operation credit because it delayed in producing evidence and did not timely and appropriately discipline employees involved.^[52]

Consequently, companies should carefully consider the likelihood that the conduct will be discovered by other means. For instance, if regulators undertake an industry-wide investigation into particular practices, which we have observed in recent years with pharmaceutical companies, medical device manufacturers and automobile companies, a company might be exposed by a competitor’s self-report or more passively through a third-party subpoena or any investigative demand.

Companies should also be sensitive to increasing whistleblower activity. Current or former employees are incentivised to report potential misconduct to US regulators, which has led to substantial recoveries for the government. The SEC’s whistleblower programme has been steadily active, with 281 individuals receiving approximately US$1.3 billion between 2012 and August 2022.^[53] Whistleblowers are eligible to receive awards between 10 per cent and 30 per cent of the money recovered if their ‘high-quality original information’ leads to enforcement actions in which the SEC orders at least US$1 million.^[54] Moreover, the SEC’s 2020 amendments to the rules governing the whistleblower award programme provide that for awards where the statutory maximum amount is US$5 million or less, there is a presumption that the SEC will pay the claimant the 30 per cent maximum statutory award unless there are negative award criteria present, subject to certain limitations.^[55] And in August 2022, the SEC adopted amendments to (1) allow the Commission to pay whistleblowers in non-SEC actions where another federal agency’s programme is not comparable to the SEC’s or if the award would not exceed US$5 million and (2) affirmed the Commission’s authority to consider the dollar amount of a potential award for the limited purpose of increasing – but not decreasing – an award.^[56] The programme continues to be a priority for the Commission. In October 2020, the SEC announced what remains the largest whistleblower award to date, with a single whistleblower receiving over US$114 million.^[57] Additionally, the Anti-Money Laundering Act of 2021 expanded incentives for whistleblowers to disclose potential anti-money laundering related violations.^[58] It is therefore important that a company consider the real possibility that its conduct could be exposed by means other than voluntary self-disclosure, and the associated, often expensive, risks associated with not being the first to come forward.

4.6 Briefing the board

When deciding not to self-report, a company must ensure that the decision is appropriately considered and documented. If a company decides not to self-report and the government later enquires about the issue, the best defence is that the company conducted a thorough investigation, remediated the issue and had a reasonable basis for not self-reporting to the government. US regulators will look to a company’s board of directors to ensure the appropriate steps were taken. The SEC, for instance, has expressed that the board must exercise oversight and set a strong ‘tone at the top’ emphasising the importance of compliance.^[59]

An important consideration is if and when the board should be briefed about potential misconduct, particularly where voluntary self-reporting may benefit the corporation.^[60] It can be advisable to keep boards apprised of internal investigations into potential misconduct, particularly to the extent the issues are potentially material to the company or its strategic interests, with more detailed reporting as necessary depending on the severity or veracity of allegations. If it is determined that there is a reasonable probability of significant civil regulatory or criminal exposure, the board should be notified of significant developments in the investigation, remediation and, if necessary, government interactions. In briefing the board, it is important to balance the need to document that the board was informed in detail about the status and results of the investigation with the risk that board materials could ultimately be subject to disclosure, including for example through shareholder requests, government investigations or other discovery requests, or required disclosures.

4.7 Conclusion

The decision for a corporation to voluntarily self-disclose potential misconduct to the DOJ or SEC involves a wide variety of considerations described in this chapter. Corporate decision makers must weigh the benefits of self-reporting, such as reduced fines and presumptions against guilty pleas, against the risks attendant to reporting such misconduct, such as negative publicity and potential collateral consequences resulting from the investigation or prosecution of misconduct, often in the face of uncertainty. These decisions are inherently fact- and circumstance-specific, and should be carefully considered in light of the evolving guidance provided by the DOJ and SEC.

Footnotes