Self-Reporting to the Authorities and Other Disclosure Obligations: The US Perspective
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
There is typically no formal obligation in the United States to disclose potential wrongdoing to enforcement authorities; however, there can often be strategic advantages to doing so. Subjects of investigations may, in certain cases, avoid some of the most adverse consequences by self-reporting, including reduced penalties and more favourable settlement terms. Additionally, companies in certain regulated sectors may avoid debarment even where clear violations occurred.
US regulators are incentivising companies to self-report by offering potential and meaningful cooperation credit for doing so. The Corporate Enforcement Policy of the US Department of Justice (DOJ), first announced in November 2017, updated and formalised the DOJ’s criteria for evaluating and rewarding self-disclosure and cooperation in cases relating to the Foreign Corrupt Practices Act (FCPA). Revisions in March and November 2019 broadened its application beyond the FCPA and clarified the DOJ’s expectations for securing credit. The Corporate Enforcement Policy was incorporated into the second edition of ‘A Resource Guide to the US Foreign Corrupt Practices Act’ (2020 FCPA Resource Guide), released by the DOJ and the US Securities and Exchange Commission (SEC) in July 2020. Revisions to the Corporate Enforcement Policy in October 2021 subsequently directed DOJ prosecutors to consider a corporation’s ‘entire record of past misconduct’, reinstated previous guidance that corporations disclose ‘all relevant facts relating to the individuals responsible for the misconduct’, and established a Corporate Crime Advisory Group.
With input from the Corporate Crime Advisory Group, the Corporate Enforcement Policy was revised again as of 15 September 2022, including with respect to the issues addressed in the October 2021 Monaco Memorandum and the timing of voluntary self-disclosure, among other things. The DOJ announced further revisions to the Corporate Enforcement Policy on 17 January 2023 and rolled out a new Voluntary Self-Disclosure Policy to all US Attorneys’ offices on 24 February 2023, which drew from existing policies, such as the Corporate Enforcement Policy to apply uniform standards at the local level of US Attorneys’ offices nationwide.
In October 2023, the DOJ announced a new policy governing voluntary self-disclosures in the context of mergers and acquisitions.
4.2 Mandatory self-reporting to authorities
Before considering a voluntary disclosure, there are at least two reasons why it is important to determine whether the company has a mandatory reporting obligation. First, mandatory reporting obligations often prescribe the recipient, form, timing and content of the disclosure. Second, the evaluation will be materially different if a mandatory report is required, even if the report is in another jurisdiction, given the clear commitment to sharing information between international regulators; in other words, if a company is required to self-report in at least one jurisdiction, it should consider voluntarily disclosing in others given the likelihood that the government agencies will share information.
Despite this, the DOJ has adopted a formal policy to avoid ‘piling on’ duplicative penalties for the same misconduct. Under the policy, various US enforcement agencies must coordinate with each other and with foreign government agencies when reaching settlements with corporations. The 2020 FCPA Resource Guide underscores this anti-piling on policy as part of the growing international effort to combat corruption. It includes, as an example, a declination awarded to a UK seismic event detection equipment company, which was subject to a parallel investigation by the Serious Fraud Office (SFO) for the same conduct and committed to accepting responsibility with the SFO. However, the DOJ has warned that companies looking to benefit from the policy should self-disclose wrongdoing directly to the DOJ.
4.2.1 Statutory and regulatory mandatory disclosure obligations
In the United States, most disclosure obligations originate in statute or regulations. Key examples include:
- the Sarbanes-Oxley Act of 2002, which requires the disclosure of all information that has a material financial effect on a public company in periodic financial reports;
- the US Bank Secrecy Act of 1970, which requires financial institutions to disclose certain suspicious transactions or currency transactions in excess of US$10,000 and to report actual or suspected money laundering in certain circumstances;
- the Anti-Kickback Enforcement Act of 1986, which requires government contractors to make a ‘timely notification’ of violations of federal criminal law or overpayments in connection with the award or performance of most federal government contracts or subcontracts, including those performed outside the United States; and
- state data breach regulations – all 50 US states have laws requiring companies conducting business in the state to disclose data breaches involving personal information.
4.2.2Disclosure obligations under agreements with the government
In addition to statutory or regulatory-based mandatory disclosure requirements, companies must evaluate whether they have any mandatory disclosure obligations under pre-existing agreements with the government. For example, if a company is subject to a deferred prosecution agreement (DPA) (or a corporate integrity agreement (CIA) in the healthcare sector), the agreement often contains self-reporting mandates for any subsequent violations. In some cases, these agreements may require the appointment of independent monitors. DPAs, CIAs and similar agreements have been used frequently in the United States.
4.2.3 Other sources of mandatory disclosure obligations
Individuals and companies may have mandatory disclosure obligations from private contractual agreements and membership in professional bodies. Such disclosures between private parties may lead to a disclosure to a regulator by the receiving entity. For example, a subcontractor may be contractually obliged to report issues to the contracting party, which may subsequently determine that it is subject to its own reporting obligation (e.g., reporting obligations under securities regulations) or may choose to self-report to reduce any potential liability.
4.3 Voluntary self-reporting to authorities
Self-reporting and cooperation are important factors for both the DOJ and the SEC in deciding how to proceed with, and resolve investigations and enforcement actions in, cases involving corporations. Companies must carry out a fact-intensive and holistic inquiry in deciding whether to voluntarily self-report to US authorities. There is no one-size-fits-all approach to this analysis, but certain considerations should be kept in mind, including factors the DOJ and the SEC weigh in assessing cooperation credit (e.g., the timing of the disclosure).
|Key government considerations in assessing self-disclosure and cooperation credit
4.3.1 Advantages of voluntarily self-reporting
The primary benefit to self-reporting is to secure potentially reduced penalties through cooperation credit and, moreover, to maintain control over the flow of information to regulators. In recent years, US regulators have become increasingly vocal about the benefits of self-disclosure and cooperation, with the DOJ even formalising those benefits in its FCPA Pilot Program (Pilot Program) and the Corporate Enforcement Policy and making public pronouncements that DOJ policies are intended to be both transparent and ensure corporations benefit from voluntary self-disclosure. Yet, cooperation, which often goes hand in hand with a voluntary disclosure, imposes significant demands on corporations and is not without meaningful risk.
220.127.116.11 DOJ cooperation credit
To encourage self-reporting and cooperation, the DOJ has issued, and regularly revised, guidance on the subject for many years. In June 1999, the then Deputy Attorney General Eric Holder issued the Principles of Federal Prosecution of Business Organizations, now known as the Holder Memorandum to articulate and standardise the factors to be considered by federal prosecutors in making charging decisions against corporations. The Holder Memorandum instructed DOJ prosecutors to consider as a factor in bringing charges whether a corporation has voluntarily disclosed wrongdoing in a timely manner and whether it has been willing ‘to cooperate in the investigation of its agents’.
In 2008, the then Deputy Attorney General Mark R Filip added language to the US Attorneys’ Manual, now titled the Justice Manual, instructing prosecutors to consider ‘the corporation’s willingness to provide relevant information and evidence and identify relevant actors within and outside the corporation, including senior executives’ when assessing a corporation’s cooperation. Mr Filip also outlined in his memorandum nine factors on which prosecutors should base their corporate charging and resolution decisions, the Filip Factors, which now comprise 11 factors and are listed in the Justice Manual.
The Yates Memorandum
Building on the Holder Memorandum and the Filip Factors, the then Deputy Attorney General Sally Quillian Yates issued the Memorandum of Individual Accountability for Corporate Wrongdoing in September 2015, known as the Yates Memorandum. This outlines the ‘six key steps’ prosecutors should take in all investigations of corporate wrongdoing. The most significant policy shift in the Yates Memorandum concerned the relationship between a company’s cooperation with respect to individual wrongdoers and the company’s eligibility for cooperation credit. Under the Yates Memorandum, the identification of responsible individuals became a ‘threshold requirement’ for receiving any cooperation credit consideration. Ms Yates also emphasised that a failure to conduct a robust internal investigation is not an excuse, stating that companies ‘may not pick and choose what facts to disclose’.
Former Deputy Attorney General Rod Rosenstein announced a shift in the DOJ’s policy in 2018. Under the revised policy, a corporation was entitled to cooperation credit in criminal proceedings as long as it disclosed ‘all relevant facts known to it at the time of the disclosure, including as to any individuals substantially involved in or responsible for the misconduct at issue’. On 28 October 2021, however, Deputy Attorney General Lisa Monaco announced that the DOJ was reverting to the original formulation in the Yates Memorandum. Specifically, Ms Monaco stated that to receive cooperation credit, ‘companies must provide the department with all non-privileged information about individuals involved in or responsible for the misconduct at issue’, regardless of position, status or seniority – a stance also included in the October 2021 Monaco Memorandum.
On 15 September 2022, Ms Monaco announced additional revisions to the DOJ’s enforcement policies for corporations. The revisions described in the September 2022 Monaco Memorandum provide additional guidance regarding both the DOJ’s priority to hold accountable individuals who commit and profit from corporate crime as well as voluntary self-reporting by corporations, among other things. Expanding on the Yates Memorandum, the revisions make clear that the timing of disclosures made to the DOJ is of critical importance: ‘to receive full cooperation credit, corporations must produce on a timely basis all relevant, non-privileged facts and evidence about individual misconduct such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals’. The revisions also suggest, absent more specific guidance from prosecutors, that corporations prioritise ‘production of evidence to the government that is most relevant for assessing individual culpability’.
Principal Associate Deputy Attorney General Marshall Miller reiterated that timely disclosure is critical in a keynote address just a few days later, on 20 September 2022, specifically noting that the DOJ ‘will expect cooperating companies to produce hot documents or evidence in real time’, that corporate cooperation ‘will be evaluated with timeliness as a principal factor’, and that undue or intentional delay in document production relating to individual culpability ‘will result in reduction or denial of cooperation credit’.
With respect to voluntary self-reporting, the September 2022 Monaco Memorandum also re-emphasises the DOJ’s continued desire to encourage corporations to self-report. For example, the memorandum makes clear that timely voluntary self-disclosures can ‘reflect that a corporation is appropriately working to detect misconduct and takes seriously its responsibility to instil and act upon a culture of compliance’ and directs prosecutors to credit timely, voluntary self-disclosures appropriately.
The September 2022 Monaco Memorandum also directed all the DOJ’s components to review (or establish) and publicly share written policies for corporate voluntary self-disclosures – including as to their timing, the need for timely preservation and production of documents and information, what information should be provided in them, and the specific benefits a corporation may expect to receive if they meet the standards for self-disclosure. These written policies must adhere to two core principles expressed in the September 2022 Monaco Memorandum:
- the DOJ will not seek a guilty plea from a corporation that has ‘voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated the criminal conduct’ absent specified ‘aggravating factors’; and
- the DOJ will not require an independent compliance monitor for a cooperating corporation that voluntarily self-discloses if, at the time of resolution, the corporation shows it has implemented and tested an effective compliance programme.
Less than one week later, the Miller Keynote Address reinforced the point by citing several examples of instances where voluntary self-disclosure drove different resolutions, including investigations into criminal price-fixing in the canned tuna market that resulted in Bumble Bee Foods pleading guilty and paying a US$25 million fine, and StarKist pleading guilty and paying a statutory maximum US$100 million fine, while another company that voluntarily self-reported was not prosecuted and paid no fine.
Similarly, though it underwent revisions in March and April 2023, the Justice Manual continues to specify that ‘[t]here may be circumstances where, despite its best efforts to conduct a thorough investigation, a company genuinely cannot get access to certain evidence or is legally prohibited from disclosing it to the government’. Nevertheless, the Justice Manual is clear that in those cases, ‘the company seeking cooperation will bear the burden of explaining the restrictions it is facing to the prosecutor’. Consequently, thorough and properly scoped internal investigations are of critical importance.
The Corporate Enforcement Policy
In November 2017, the DOJ announced that it would be incorporating its Corporate Enforcement Policy to incentivise voluntary self-disclosure of misconduct into the Justice Manual, following on from a successful Pilot Program in 2016. On 1 March 2018, it announced that it would apply the Corporate Enforcement Policy as non-binding guidance in criminal cases outside the FCPA context.
The most substantial addition to the 2020 FCPA Resource Guide is a section incorporating the Corporate Enforcement Policy, underscoring the DOJ’s and the SEC’s emphasis on voluntary self-disclosure, cooperation and remediation. In light of these developments, the Corporate Enforcement Policy provides valuable guidance to corporations as they investigate misconduct and contemplate voluntary disclosure.
The Corporate Enforcement Policy outlines the requirements for a company to earn credit for voluntary self-disclosure. The disclosure must:
- occur prior to an imminent threat of disclosure or government investigation;
- be disclosed within a reasonably prompt time after the company becomes aware of the offence; and
- include all relevant facts known to the company at the time of disclosure, including all relevant facts about the individuals substantially involved in, or responsible for, the misconduct.
The November 2019 changes to the Corporate Enforcement Policy acknowledge the DOJ’s recognition, in a footnote, that ‘a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure’. The Corporate Enforcement Policy also requires the company to alert the DOJ to evidence of the misconduct when it becomes aware of it, whereas, previously, where the company was or should have been aware of opportunities for the DOJ to obtain evidence not in the company’s possession, it had to identify those opportunities to the DOJ to receive full cooperation credit.
In addition, the Corporate Enforcement Policy contains specific guidance on the steps a company must take to earn full cooperation credit and to provide timely and appropriate remediation, consistent with the Yates Memorandum, the October 2021 Monaco Memorandum, the September 2022 Monaco Memorandum and the Justice Manual’s Sentencing Guidelines. The exact level of cooperation credit available to a corporation will vary based on the investigation. It is possible for a corporation to earn full credit under the US Sentencing Guidelines but not earn additional credit under the Corporate Enforcement Policy.
The Corporate Enforcement Policy provides benefits to a company that satisfies all the requirements for voluntary self-disclosure, cooperation and remediation. Under the Corporate Enforcement Policy historically, when a company had voluntarily self-disclosed, fully cooperated with the DOJ, and appropriately remediated in a timely manner, there would be a rebuttable presumption, which could be overcome by ‘aggravated circumstances’ related to the nature and seriousness of the offence, that the DOJ will grant a declination. In situations where those aggravating circumstances overcame the rebuttable presumption of declination, the DOJ would still recommend a reduction off the low end of the Sentencing Guidelines fine range and would generally not require the appointment of a monitor if the company had, at the time of resolution, implemented an effective compliance programme.
Although this basic framework remains in place, revisions to the Corporate Enforcement Policy announced on 17 January 2023 made certain changes to the benefits companies are eligible to receive from voluntary self-disclosure, full cooperation and appropriate remediation. Specifically, the January 2023 revisions now permit prosecutors to determine that a declination is the appropriate outcome even where aggravating circumstances exist, provided the company demonstrates:
- the voluntary self-disclosure was made immediately upon the company becoming aware of the allegation of misconduct;
- at the time of the misconduct and the disclosure, the company had an effective compliance programme and system of internal accounting controls that enabled the identification of the misconduct and led to the company’s voluntary self-disclosure; and
- the company provided ‘extraordinary cooperation’ with the DOJ’s investigation and ‘undertook extraordinary remediation’.
The January 2023 revisions also changed the scope of the reductions off the Sentencing Guidelines fine range that is available to companies. Under the revisions, where aggravating circumstances overcome the rebuttable presumption of a declination, the DOJ will now recommend a reduction off the low end of the Sentencing Guidelines fine range of between a minimum of 50 per cent and a maximum of 75 per cent for companies (up from the previous maximum of 50 per cent) that voluntarily self-disclose, fully cooperate and appropriately remediate in a timely manner. Likewise, companies that do not voluntarily self-disclose but that nonetheless fully cooperate with DOJ investigations and implement timely and appropriate remediation, will be eligible for limited credit, up to a maximum 50 per cent reduction off the bottom of the Sentencing Guidelines fine range (twice the maximum reduction of 25 per cent that was previously available).
By publicly disclosing benefits of voluntary self-disclosure, full cooperation and remediation, such as declinations or reduced penalties, the DOJ has sought to provide ‘increased transparency as to [the] evaluation process’. However, in a June 2019 speech to the American Bar Association, former Deputy Assistant Attorney General Matt Miner announced that the DOJ would be open to keeping declinations private where public release is ‘neither necessary nor warranted’. Miner gave the example of a corporation that discovers inconsequential bribes in an M&A transaction and self-discloses immediately – in such a case, the agency would be ‘open to discussion’ regarding publicly releasing the declination. Nonetheless, Miner maintained that this decision will always remain at the agency’s discretion.
There are also instances in which it is possible to infer that a declination may have occurred, including when relatively isolated misconduct is self-reported. For instance, in 2018, CHS Inc announced in a securities filing that it voluntarily self-disclosed potential FCPA violations in connection with a small number of reimbursements made to Mexican customs agents.
In October 2023, the DOJ announced a new policy governing voluntary self-disclosures in the M&A context. The safe harbour policy sets out a consistent approach for criminal corporate enforcement and extends the DOJ’s existing presumption of declination for acquiring companies that disclose conduct by a newly acquired target to a presumption of declination at acquired companies where the relevant conduct took place if the conduct is promptly and voluntarily disclosed within a six-month safe harbour period. The companies will need to ensure remediation within one year. Both deadlines, however, are subject to a ‘reasonableness analysis’. Further, the DOJ expects companies that have discovered misconduct that involves national security issues, or ongoing or imminent harm, to make immediate disclosures rather than relying on the presumptive deadlines.
Since 2016, the DOJ has issued 17 public declinations under the Corporate Enforcement Policy and the earlier Pilot Program, most recently in March 2023. Although there have been relatively few FCPA corporate resolutions in immediate years, recent resolutions demonstrate the DOJ is applying self-disclosure, cooperation and remediation credit as part of the Corporate Enforcement Policy. For example, in March 2023, the DOJ issued a declination letter in connection with its investigation into Corsa Coal Corporation (Corsa) despite allegations of bribes paid by employees and agents of Corsa between 2016 and 2020 to Egyptian government officials to secure coal contracts. Corsa made a voluntary self-disclosure in a timely manner to the DOJ of the conduct; fully and proactively cooperated with the DOJ, including by providing known relevant facts about the misconduct; agreed to continue cooperating with ongoing and any future government investigations; and took steps to remediate, including by terminating a sales representative involved in the alleged misconduct, making improvements to its compliance programme and internal controls, and agreeing to disgorge ill-gotten gains (despite its inability to pay full disgorgement).
Similarly, in December 2022, the DOJ issued a declination letter to Safran SA despite allegations that certain acquired subsidiaries paid millions of dollars to a close relative of a senior Chinese government official, knowing that the funds would be used at least in part to pay bribes to the official. In the declination letter, the DOJ cited Safran’s timely and voluntary self-disclosure of the misconduct; its full and proactive cooperation, including provision of all relevant facts about the misconduct; its agreement to cooperate in the DOJ’s continuing investigation and prosecutions; its full remediation, including terminating the remaining employee purportedly involved in the purported misconduct and withholding deferred compensation from another employee that had previously left, as well as enhancing its anti-corruption training and compliance programme; its agreement to disgorge ill-gotten gains; its agreement to accept responsibility and resolve a related investigation by German authorities; and the fact that Safran was a successor-in-interest to the subsidiaries that engaged in the alleged misconduct and discovered the misconduct through post-acquisition due diligence.
The Corporate Enforcement Policy and the Pilot Program have demonstrated the DOJ’s commitment to rewarding voluntary self-disclosure in FCPA enforcement and, by many accounts, have been viewed as very successful.
United States Attorneys’ Offices Voluntary Self-Disclosure Policy
The 2022 Monaco Memorandum instructed DOJ components that prosecute corporate crime to review their policies on corporate voluntary self-disclosure and, if no formal written policy existed, to draft and publicly share such a policy. In response, the Corporate Criminal Enforcement Policy Working Group, comprised of numerous US Attorneys from various districts, prepared the United States Attorneys’ Offices Voluntary Self-Disclosure Policy (USAO VSD), which applies to all US Attorney’s Offices (USAOs). For disclosures to be credited under the USAO VSD, USAO prosecutors consider whether the disclosure is made voluntarily in a timely manner and includes all relevant facts concerning the misconduct that are known to the company at the time of the disclosure.
As with the Corporate Enforcement Policy, absent the presence of an aggravating factor, USAO prosecutors will not seek a guilty plea from a company that has voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated. In addition, for companies that meet the voluntary self-disclosure criteria, the USAO VSD policy mirrors the Corporate Enforcement Policy. USAOs will not impose criminal penalties greater than 50 per cent below the low end of the US Sentencing Guidelines fine range. Even where an aggravating factor exists, for companies that voluntarily self-disclose, fully cooperate, and timely and appropriately remediate, USAOs will recommend a reduction of at least 50 per cent and up to 75 per cent off the low end of the US Sentencing Guidelines fine range and will not require appointment of a monitor if the company has, at the time of resolution, demonstrated that it has implemented and tested an effective compliance programme.
Benczkowski Memorandum and 2023 Monitor Memorandum
As part of the DOJ’s ongoing effort to update and clarify its corporate enforcement policies, in October 2018, the then Assistant Attorney General Brian Benczkowski issued guidance on imposing corporate compliance monitors, which is now known as the Benczkowski Memorandum. The guidance supplemented the 2008 Morford Memorandum, which outlined the principles on selection, scope and duration of monitorships, and supersedes the guidance contained in the 2009 Breuer Memorandum on imposing corporate monitors. Former Assistant Attorney General Brian Benczkowski explained that the goal of the new guidance was to ‘further refine the factors that go into the determination of whether a monitor is needed, as well as clarify and refine the monitor selection process’.
Under the Benczkowski Memorandum, the potential benefits of employing a corporate monitor were weighed against the cost of a monitor and its impact on the operations of the corporation. In making a determination to impose a corporate monitor, the DOJ would consider a number of factors, including the type of misconduct, the pervasiveness of the conduct and whether it involved senior management, the investments and improvements a company has made to its corporate compliance programme and internal controls, and whether those improvements have been tested to demonstrate that they would prevent or detect similar misconduct in the future. Other factors included whether remedial actions were taken against individuals involved, and the industry and geography in which the company operates and the nature of the company’s clientele. The Benczkowski Memorandum provided: ‘Where a corporation’s compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will not be necessary.’
In addition, a key feature of the Benczkowski Memorandum is that companies can receive meaningful credit, namely avoiding a compliance monitor, by engaging in extensive remediation of their compliance programmes.
The DOJ imposed monitors in four enforcement actions in 2019, one in 2020, one in 2021, three in 2022 and, at the time of writing, two in 2023.
Monaco and Polite Memoranda
Deputy Attorney General Lisa Monaco’s remarks on 28 October 2021, given at the American Bar Association’s 36th National Institute on White Collar Crime, signalled that the DOJ would potentially make more use of monitors going forward. Monaco made clear that the DOJ ‘is free to require the imposition of independent monitors whenever it is appropriate to do so in order to satisfy our prosecutors that a company is living up to its compliance and disclosure obligations’, and, to the extent that prior guidance suggested ‘that monitorships are disfavoured or are the exception’, that guidance is rescinded.
The September 2022 Monaco Memorandum substantially expanded the DOJ’s guidance on the imposition of monitors. It explained that the DOJ will not impose a presumption for or against monitors, but rather will assess whether a monitor is appropriate case by case. Specifically, the memorandum sets forth 10 non-exclusive factors that prosecutors should consider when determining whether an independent compliance monitor is warranted, including whether the conduct was voluntarily self-disclosed, whether the conduct was pervasive and long-lasting, the remedial measures taken by the company, and the adequacy of the company’s compliance programme. As noted in the preceding section, DOJ has imposed five monitors between 2022 and 2023 (to date), compared to just two monitors between 2020 and 2021.
On 1 March 2023, then Assistant Attorney General Kenneth A Polite Jr issued a memorandum with new guidance on corporate compliance monitorships (2023 Monitor Memorandum), which revised and superseded the Benczkowski Memorandum and codified policies announced in the September 2022 Monaco Memorandum. Under the 2023 Monitor Memorandum, the DOJ will not apply presumptions for or against monitors in all Criminal Division determinations. Instead, it considers 10 non-exhaustive factors to assess the need for, and benefits of, a monitor depending on the facts and circumstances of each case. The Monitor Memorandum directs prosecutors to favour imposition of a monitor where ‘there is a demonstrated need for, and clear benefit to be derived from, a monitorship’; therefore, where a corporation’s compliance programme and controls are ‘untested, ineffective, inadequately resourced, or not fully implemented at the time of a resolution’, the DOJ will consider imposing a monitorship, while monitors may not be necessary for corporations with tested, effective, well-resourced and fully implemented compliance programmes and controls.
18.104.22.168 SEC cooperation credit
Although it can be difficult to precisely quantify the benefit of cooperation with the SEC, the SEC considers general principles of sentencing, especially general deterrence. In both public statements and in practice, the SEC has made clear that companies can receive significant leniency for full cooperation. During a speech on 9 May 2018, former Enforcement Division Co-Director Steven Peikin emphasised the importance of cooperation, noting that the SEC would continue to provide ‘incentives to those who come forward and provide valuable information’. In remarks made on 4 November 2021 – shortly after Deputy Attorney General Lisa Monaco’s remarks on 28 October 2021 – SEC Chair Gary Gensler expressed the SEC’s general agreement with Monaco’s October 2021 remarks. Gensler also made clear the SEC’s interest in corporate cooperation by stating, ‘[a]ll things being equal, if you work cooperatively to bring wrongdoing to light, you fare better than if you try to mask it’. Cooperation may influence the Commission’s decision whether to impose a civil monetary penalty.
While the SEC has not entered into any non-prosecution agreements (NPAs) since 2016 and has only entered into three since their inception in 2010, the SEC nevertheless signalled its continued commitment to using NPAs to reward cooperation through amendments, passed in September 2020, to the rules governing monetary awards to whistleblowers. Specifically, the amendments clarify the SEC’s ability to make award payments to whistleblowers based on money collected as a result of DPAs and NPAs entered into by the DOJ and the SEC, to ‘ensure that whistleblowers are not disadvantaged because of the particular form of an action’ that the applicable authority takes. The SEC will, however, set a high bar before entering into an NPA in an FCPA enforcement action, if it does so again.
With respect to NPAs entered into with Akamai Technologies and Nortek, in 2016, Kara Brockmeyer, the then Chief of the SEC Enforcement Division’s FCPA Unit, stated: ‘Akamai and Nortek each promptly tightened their internal controls after discovering the bribes and took swift remedial measures to eliminate the problems. They handled it the right way and got expeditious resolutions as a result.’
4.4 Risks in voluntarily self-reporting
While self-disclosure can reap significant monetary benefits, a company must balance the potential risks against any potential benefit. Self-reporting can give rise to lengthy and expensive cooperation obligations and increased government scrutiny. As discussed above, the multi-jurisdictional nature of many ‘white-collar’ matters means that self-reporting may lead to enquiries from global regulators, differing resolutions and ongoing obligations. Moreover, self-reporting may ultimately lead to enforcement action – regardless of whether the company ultimately receives credit for doing so.
Even though self-reporting may reduce fines or penalties substantially and increase the likelihood of the company receiving a declination, NPA or DPA, it remains the case that reputational harms, investigation into other potential misconduct at the company, collateral litigation, shareholder suits and other collateral consequences may nonetheless result.
Companies self-reporting may need to demonstrate they have effective compliance programmes in place or establish them. Even for self-reporting companies, the DOJ is likely to impose a stringent bar when evaluating the sufficiency of compliance programmes to determine whether the requirements of the Corporate Enforcement Policy are met or to otherwise reduce liability. In March 2023, the DOJ published revised guidance on Evaluation of Corporate Compliance Programs (the Guidance), first released in February 2017 and updated in April 2019 and June 2020. The Guidance is framed around three fundamental questions as to whether the corporation’s compliance programme is well designed, is being applied earnestly and in good faith (i.e., is adequately resourced and empowered to function effectively) and works in practice. The Guidance has since also been incorporated into the 2020 FCPA Resource Guide, which notes the DOJ’s position that ‘the truest measure of an effective compliance program is how it responds to misconduct’.
On 25 March 2022, then Assistant Attorney General Kenneth A Polite Jr gave a speech providing additional colour about how the DOJ evaluates these requirements. In assessing design, the DOJ ‘closely examine[s] the company’s process for assessing risk’ to determine if it has implemented policies and procedures to address key risk areas, as well as the company’s processes for training and reporting violations of law. For resourcing, the DOJ wants to know ‘more than dollars, headcount, and reporting lines’, including the qualifications and expertise of compliance personnel and the stature of the compliance function. And for operation in practice, the DOJ will look at whether the company is ‘continually testing’ its compliance programme, identifying gaps and addressing root causes, and demonstrating an ethical culture in practice.
Consistent with the September 2022 Monaco Memorandum, the March 2023 revisions to the Guidance also show that the DOJ will focus on whether corporations are developing and maintaining positive compliance culture by establishing incentives for compliance and disincentives for compliance failures, including considering the corporation’s transparency regarding disciplinary processes and actions, the corporation’s use of tracking data to monitor effectiveness of compliance programmes and whether the corporation incentivises compliance through the design of its compensation systems, such as financial penalties to deter risky behaviour (e.g., compensation clawbacks) and positive incentives (such as promotions, rewards, and bonuses) for improving and developing a compliance programme.
Although the content of the Guidance is largely familiar to practitioners, it does give a picture of the DOJ’s current approach to corporate compliance. The Guidance underscores the DOJ’s focus on the operation, rather than the appearance, of corporate compliance programmes. The Guidance suggests that companies should expect to be asked detailed and challenging questions regarding the scope and effectiveness of their compliance programmes, both at the time of the offence and at the time of the charging decision and resolution. The Guidance emphasises the DOJ’s expectation that compliance programmes should be risk-based and tailored to the specific commercial realities of the company’s business, and that companies should continually reassess their risk profiles and the efficacy of their compliance programmes to ensure their programmes are fit to address evolving risks and trends. Moreover, the Guidance makes clear that the DOJ will enquire about the company’s culture of compliance at all levels of the business, including middle management as well as senior management, and whether the company’s compliance function has sufficient access to data across the business and makes use of data analytics to monitor and test policies, controls and transactions. In the M&A context, the Guidance emphasises the need for pre-acquisition compliance due diligence as well as post-closing integration.
If a company’s compliance programme fails to withstand such scrutiny, it risks losing credit for the programme, paying higher penalties or even facing separate violations for inadequate internal controls. Taking these existing increasingly stringent cooperation standards into consideration, companies considering self-disclosure should carefully assess whether they can meet regulator expectations. If companies fall short, regulators may refuse cooperation credit and use the information obtained through the self-disclosure against the company.
4.5 Risks in choosing not to self-report
US regulators have warned that the potential downside of not self-reporting any violation could be significant where the matter is otherwise brought to their attention. For example, in a March 2022 press release announcing a guilty plea and a US$700 million FCPA settlement with Glencore International AG (Glencore) and Glencore Ltd to resolve allegations of bribing officials in a number of countries, the DOJ noted that Glencore did not disclose in a timely manner the conduct that triggered the investigation, and it did not receive full cooperation credit because it delayed in producing evidence and did not appropriately discipline employees involved in a timely manner.
Consequently, companies should carefully consider the likelihood that the conduct will be discovered by other means. For instance, if regulators undertake an industry-wide investigation into particular practices, which we have observed in recent years with pharmaceutical companies, medical device manufacturers and automobile companies, as examples, a company might be exposed by a competitor’s self-report or more passively through a third-party subpoena or any investigative demand.
Companies should also be sensitive to increasing whistleblower activity. Current or former employees are incentivised to report potential misconduct to US regulators, which has led to substantial recoveries for the government. The SEC’s whistleblower programme has been steadily active, with 281 individuals receiving approximately US$1.3 billion between 2012 and August 2022. Whistleblowers are eligible to receive awards between 10 per cent and 30 per cent of the money recovered if their ‘high-quality original information’ leads to enforcement actions in which the SEC orders at least US$1 million.
Moreover, the SEC’s 2020 amendments to the rules governing the whistleblower award programme provide that for awards where the statutory maximum amount is US$5 million or less, there is a presumption that the SEC will pay the claimant the 30 per cent maximum statutory award unless there are negative award criteria present, subject to certain limitations.
In August 2022, the SEC adopted amendments to (1) allow the Commission to pay whistleblowers in non-SEC actions where another federal agency’s programme is not comparable to the SEC’s or if the award would not exceed US$5 million and (2) affirmed the Commission’s authority to consider the dollar amount of a potential award for the limited purpose of increasing – but not decreasing – an award. The programme continues to be a priority for the Commission.
In May 2023, the SEC announced the largest whistleblower award to date, with a single whistleblower receiving nearly US$279 million. Additionally, the Anti-Money Laundering Act of 2021 expanded incentives for whistleblowers to disclose potential anti-money laundering related violations.
In December 2022, Congress passed the AML Whistleblower Improvement Act, which – among other things – provides for whistleblowing awards for economic sanctions violations. It is therefore important that a company consider the real possibility that its conduct could be exposed by means other than voluntary self-disclosure, and the associated, often expensive, risks associated with not being the first to come forward.
4.6 Briefing the board
When deciding not to self-report, a company must ensure that the decision is appropriately considered and documented. If a company decides not to self-report and the government later enquires about the issue, the best defence is that the company conducted a thorough investigation, remediated the issue and had a reasonable basis for not self-reporting to the government. US regulators will look to a company’s board of directors to ensure the appropriate steps were taken. The SEC, for instance, has expressed that the board must exercise oversight and set a strong ‘tone at the top’ emphasising the importance of compliance.
An important consideration is if and when the board should be briefed about potential misconduct, particularly where voluntary self-reporting may benefit the corporation. It can be advisable to keep boards apprised of internal investigations into potential misconduct, particularly to the extent the issues are potentially material to the company or its strategic interests, with more detailed reporting as necessary depending on the severity or veracity of allegations. If it is determined that there is a reasonable probability of significant civil regulatory or criminal exposure, the board should be notified of significant developments in the investigation, remediation and, if necessary, government interactions. In briefing the board, it is important to balance the need to document that the board was informed in detail about the status and results of the investigation with the risk that board materials could ultimately be subject to disclosure, including through shareholder requests, government investigations or other discovery requests, or required disclosures.
The decision for a corporation to voluntarily self-disclose potential misconduct to the DOJ or the SEC involves a wide variety of considerations described in this chapter. Corporate decision makers must weigh the benefits of self-reporting (e.g., reduced fines and presumptions against guilty pleas) against the risks attendant to reporting such misconduct (e.g., negative publicity and potential collateral consequences resulting from the investigation or prosecution of misconduct), often in the face of uncertainty. These decisions are inherently fact- and circumstance-specific, and should be carefully considered in light of the evolving guidance provided by the DOJ and the SEC.
 F Joseph Warin and Winston Y Chan are partners and Chris Jones and Duncan Taylor are senior associates at Gibson, Dunn & Crutcher LLP.
 US Dep’t of Justice (DOJ) and US Sec. & Exch. Comm’n (SEC), ‘A Resource Guide to the US Foreign Corrupt Practices Act’ (2d ed. 2020) (2020 FCPA Resource Guide), www.justice.gov/criminal-fraud/file/1292051/download.
 Memorandum from Lisa O Monaco, Deputy Att’y Gen., DOJ, on Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies (28 Oct. 2021), www.justice.gov/dag/page/file/1445106/download (October 2021 Monaco Memorandum); see also Lisa O Monaco, Deputy Att’y Gen., DOJ, Keynote Address at ABA’s 36th National Institute on White Collar Crime (28 Oct. 2021), www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute (Monaco Keynote Address).
 Memorandum from Lisa O Monaco, Deputy Att’y Gen., DOJ, on Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group (15 Sept. 2022), www.justice.gov/opa/speech/file/1535301/download (September 2022 Monaco Memorandum).
 Kenneth A Polite Jr, Assistant Att’y Gen., DOJ, ‘Remarks on Revisions to the Criminal Division’s Corporate Enforcement Policy’ delivered at Georgetown University Law Center (17 Jan. 2023), www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-remarks-georgetown-university-law (January 2023 Polite Remarks).
 Lisa O Monaco, Deputy Att’y Gen., DOJ, ‘Deputy Attorney General Lisa O. Monaco Announces New Safe Harbor Policy for Voluntary Self-Disclosures Made in Connection with Mergers and Acquisitions’ (4 Oct. 2023), www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-announces-new-safe-harbor-policy-voluntary-self (Monaco M&A Speech).
 2020 FCPA Resource Guide at 52–53.
 When announcing the policy, former Deputy Attorney General Rod Rosenstein specifically remarked that ‘[c]ooperating with a different agency or a foreign government is not a substitute for cooperating with the Department of Justice’. Rod J Rosenstein, Deputy Att’y Gen., DOJ, Remarks to the New York City Bar White Collar Crime Institute (9 May 2018), www.justice.gov/opa/speech/deputy-attorney-general-rod-rosenstein-delivers-remarks-new-york-city-bar-white-collar.
 See, e.g., 31 U.S.C. § 5318(g).
 Security Breach Notification Laws, National Conference of State Legislatures, www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx (14 Apr. 2021).
 DOJ, Justice Manual § 9-28.000; see also FCPA Corporate Enforcement Policy, DOJ, Justice Manual § 9-47.120, www.justice.gov/jm/jm-9-47000-foreign-corrupt-practices-act-1977#9-47.120 (Corporate Enforcement Policy).
 SEC Division of Enforcement, Enforcement Manual (28 Nov. 2017), www.sec.gov/divisions/enforce/enforcementmanual.pdf.
 Corporate Enforcement Policy; September 2022 Monaco Memorandum at 6–7.
 Memorandum from Eric Holder, Deputy Att’y Gen., DOJ, on Bringing Criminal Charges Against Corporations to Department Component Heads and US Attorneys (16 June 1999), www.justice.gov/sites/default/files/criminal-fraud/legacy/2010/04/11/charging-corps.PDF.
 Id. at 3 (listing eight factors prosecutors should consider in deciding whether to bring charges against corporations that include ‘[t]he corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents’).
 DOJ, Justice Manual § 9-28.000.
 Id. § 9-28.700 – Value of Cooperation.
 DOJ, Justice Manual § 9-28.300.
 Rod J Rosenstein, Deputy Att’y Gen., DOJ, Remarks at the American Conference Institute’s 35th International Conference on the Foreign Corrupt Practices Act (29 Nov. 2018), www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarks-american-conference-institute-0 (emphasis added).
 Monaco Keynote Address; see also October 2021 Monaco Memorandum.
 September 2022 Monaco Memorandum.
 Id. at 3 (original emphasis).
 Marshall Miller, Principal Associate Deputy Att’y Gen., DOJ, Keynote Address at Global Investigations Review (20 Sept. 2022), www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-live-keynote-address (Miller Keynote Address).
 September 2022 Monaco Memorandum, at 6–7.
 Id. at 7–8.
 See Miller Keynote Address.
 DOJ, Justice Manual § 9-28.700.
 Corporate Enforcement Policy.
 Jody Godoy, ‘DOJ Expands Leniency Beyond FCPA, Lets Barclays Off’, Law360 (1 Mar. 2018), www.law360.com/articles/1017798/doj-expands-leniency-beyond-fcpa-lets-barclays-off.
 The October 2021 Monaco Memorandum has been incorporated into the Justice Manual, and the September 2022 Monaco Memorandum expressly provides that the policies it set forth ‘will be incorporated into the Justice Manual through forthcoming revisions’. September 2022 Monaco Memorandum at 2.
 Corporate Enforcement Policy.
 The DOJ evaluated corporate cooperation in this manner when reaching its deferred prosecution agreement with Mobile TeleSystems in February 2019. See www.justice.gov/opa/press-release/file/1141631/download.
 Corporate Enforcement Policy at § 1. ‘Aggravating circumstances that may warrant a criminal resolution include, but are not limited to, involvement by executive management of the company in the misconduct; a significant profit to the company from the misconduct; pervasiveness of the misconduct within the company; and criminal recidivism.’
 Corporate Enforcement Policy at § 3. The Corporate Enforcement Policy provides specific guidance on the criteria for evaluating a corporate compliance programme, while also noting that the criteria may vary based on the size and resources of an organisation. Factors listed in the policy include a culture of compliance, compliance resources, the quality and experience of compliance resources, independence and authority of the compliance function, effective risk assessments and a risk-based approach, compensation and promotion of compliance employees, compliance-related auditing and compliance reporting structure.
 January 2023 Polite Remarks.
 In the case of a criminal recidivist, any reduction will generally not be from the low end of the Sentencing Guidelines fine range; rather, prosecutors will have discretion to determine the starting point for the reduction from within the Sentencing Guidelines range. Id.
 Once again, in the case of a criminal recidivist, prosecutors will have discretion to determine the starting point for the reduction from within the Sentencing Guidelines range. Id.
 Matt Miner, Deputy Assistant Att’y Gen., DOJ, Remarks at The American Bar Association, Criminal Justice Section Third Global White Collar Crime Institute Conference (27 June 2019), www.justice.gov/opa/speech/deputy-assistant-attorney-general-matt-miner-delivers-remarks-american-bar-association.
 Monaco M&A Speech; see also Nicole M Argentieri, Acting Ass’t Att’y Gen., DOJ, ‘Acting Assistant Attorney General Nicole M. Argentieri Delivers Remarks at the American Bar Association 10th Annual London White Collar Crime Institute’ (10 Oct. 2023), www.justice.gov/opa/speech/acting-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-american-bar.
 Monaco M&A Speech
 DOJ Declination Letter, dated 8 March 2023, re: Corsa Coal Corporation, www.justice.gov/criminal-fraud/file/1573526/download.
 DOJ Declination Letter, dated 21 December 2022, re: Safran S.A., www.justice.gov/criminal-fraud/file/1559236/download.
 September 2022 Monaco Memorandum at 7.
 United States Attorneys’ Offices Voluntary Self-Disclosure Policy (USAO VSD) at 1.
 Id. at 3-4.
 Similar to the Corporate Enforcement Policy, under the USAO VSD, aggravating factors include, but are not limited to, misconduct that poses a grave threat to national security, public health, or the environment, is deeply pervasive throughout the company, or involves the company’s current executive management. USAO VSD at 4.
 USAO VSD at 5.
 Memorandum from Brian A Benczkowski, Assistant Att’y Gen., DOJ, (11 Oct. 2018), Selection of Monitors in Criminal Division Matters, www.justice.gov/opa/speech/file/1100531/download (Benczkowski Memorandum); ‘Assistant Attorney General Brian A Benczkowski Delivers Remarks at NYU School of Law Program on Corporate Compliance and Enforcement Conference on Achieving Effective Compliance’, www.justice.gov/opa/speech/assistant-attorney-general-brian-benczkowski-delivers-remarks-nyu-school-law-program.
 Benczkowski Memorandum at 2.
 Monaco Keynote Address.
 September 2022 Monaco Memorandum at 7–8.
 Id. at 12–13.
 Memorandum from Kenneth A Polite Jr, Assistant Att’y Gen., Criminal Division, DOJ, (1 Mar. 2023), ‘Revised Memorandum on Selection of Monitors in Criminal Division Matters’, www.justice.gov/opa/speech/file/1571916/download.
 Id. at 1-2.
 The 10 non-exhaustive factors the DOJ will consider include: (1) whether the corporation voluntarily self-disclosed the underlying misconduct; (2) whether the corporation implemented an effective compliance programme and sufficient internal controls to detect and prevent similar misconduct at the time of resolution and after a thorough risk assessment; (3) whether the corporation has adequately tested its compliance programme and internal controls at the time of resolution; (4) whether the underlying misconduct was long-lasting or pervasive, or was approved, facilitated or ignored by senior management, executives or directors (including through corporate culture); (5) whether the underlying misconduct involved exploitation of an inadequate compliance programme or system of internal controls; (6) whether the underlying misconduct involved active participation of compliance personnel or the failure of compliance personnel to appropriately escalate or respond to red flags; (7) whether the corporation took adequate investigative or remedial measures to address the underlying misconduct (e.g., termination of business relationships and practices that contributed to the misconduct and discipline or termination of personnel involved in the misconduct, including supervisors and management); (8) whether, at the time of resolution, the corporation’s risk profile has substantially changed such that there is minimal or no risk of the misconduct recurring; (9) whether the corporation faces any unique risks or compliance challenges (e.g., the particular region or business sector the corporation operates in or the nature of its customers); and (10) whether and the extent to which the corporation is subject to oversight from industry regulators or has a monitor from another enforcement authority. Id. at 2-3.
 Id. at 3.
 Steven Peikin, Co-Director, Division of Enforcement, SEC, ‘Keynote Address at the New York City Bar Association’s 7th Annual White Collar Crime Institute’, available at www.sec.gov/news/speech/speech-peikin-050918.
 Gary Gensler, Chair, SEC, ‘Prepared Remarks at the Securities Enforcement Forum’, www.sec.gov/news/speech/gensler-securities-enforcement-forum-20211104.
 The SEC announced its first non-prosecution agreement (NPA) in an FCPA case in 2013, when it entered into an NPA with Ralph Lauren Corporation relating to bribes paid to government officials in Argentina. See ‘SEC Announces Non-Prosecution Agreement With Ralph Lauren Corporation Involving FCPA Misconduct’, www.sec.gov/news/press-release/2013-2013-65htm. The SEC announced its second and third NPAs on 7 June 2016. See ‘SEC Announces Two Non-Prosecution Agreements in FCPA Cases’, www.sec.gov/news/pressrelease/2016-109.html.
 DOJ, Criminal Division, Evaluation of Corporate Compliance Programs (updated Mar. 2023) (the Guidance), www.justice.gov/criminal-fraud/page/file/937501/download.
 Kenneth A Polite Jr, Assistant Att’y Gen., DOJ, Prepared Remarks at NYU Law’s Program on Corporate Compliance and Enforcement, www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-remarks-nyu-law-s-program-corporate.
 The Guidance at 12–14. Although outside the scope of this chapter, revisions to the Guidance also address the use of employee personal devices and the use of third-party communication platforms (including ephemeral messaging platforms).
 ‘Glencore Entered Guilty Pleas to Foreign Bribery and Market Manipulation Schemes’, www.justice.gov/opa/pr/glencore-entered-guilty-pleas-foreign-bribery-and-market-manipulation-schemes.
 Office of the Whistleblower, Press Releases and Statements, www.sec.gov/whistleblower/pressreleases; see also ‘SEC Awards More Than $16 Million to Two Whistleblowers’, www.sec.gov/news/press-release/2022-139.
 31 U.S.C. § 5323(g).
 S.3316/H.R. 7195, www.congress.gov/bill/117th-congress/senate-bill/3316.
 See, e.g., Mary Jo White, Chair, SEC, Address at the Stanford University Rock Center for Corporate Governance Twentieth Annual Stanford Directors’ College, www.sec.gov/news/speech/2014-spch062314mjw.
 Notification of the board of directors is often required under federal securities law. Section 307 of the Sarbanes-Oxley Act of 2002 requires that an attorney report evidence of a material violation of securities laws or breach of fiduciary duty by the company or any agent ‘up-the-ladder’ (i.e., first to the chief legal officer or chief executive officer and, thereafter, if appropriate remedial measures are not taken, to the audit committee of the board or other board committee comprised solely of non-employee directors). Wherever possible, it is best to engage the board’s disclosure counsel to assist in making this determination.