Self-Reporting to the Authorities and Other Disclosure Obligations: The US Perspective

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

4.1 Introduction

While there is typically no formal obligation in the United States to disclose potential wrongdoing to enforcement authorities, there can often be strategic advantages to doing so. Indeed, in some cases, subjects of investigations may avoid some of the most adverse consequences by self-reporting, including reduced penalties and more favourable settlement terms. Additionally, companies in certain regulated sectors may avoid potential debarment even where clear violations occurred. Moreover, US regulators have increasingly been incentivising companies to self-report by offering potential co-operation credit for doing so. US regulators have historically been receptive to parties reporting facts while preserving privilege during the co-operation and reporting process, and are specifically prohibited from conditioning co-operation credit on privilege waiver. Furthermore, the English Court of Appeal recently rejected the lower court’s ruling in the SFO v. ENRC ^[2] case that litigation privilege could not apply to materials prepared by counsel in the course of an internal investigation where the company chooses to co-operate with regulators. The decision more closely aligns English law in relation to privilege with that in the United States. However, while the US enforcement regime has created a substantial historical record to analyse, the unique circumstances of each case, as well as changing principles and priorities of regulators, make quantifying such strategic advantages difficult.

With the United States Department of Justice’s (DOJ) new FCPA Corporate Enforcement Policy, the Trump administration appears committed to vigorously enforcing the Foreign Corrupt Practices Act (FCPA), including a continued focus on self-reporting and multi-jursidictional co-operation. In 2017, the DOJ brought 27 FCPA actions and the SEC brought eight, with a total of US$934 million in settlements, while the first half of 2018 saw the DOJ bring nine actions and the SEC four, netting more than US$923 million in fines. The DOJ’s June 2018 settlement with Société Générale^[3] was one of the largest ever in an FCPA case – more than US$585 million to resolve allegations that the bank bribed officials in Libya to secure investments from various Libyan state institutions.

4.2 Mandatory self-reporting to authorities

Prior to considering whether to make a voluntary disclosure, it is important for at least two reasons to determine whether the company has any potential mandatory reporting obligation. First, mandatory reporting obligations often contain specific requirements with respect to the recipient, form, timing and content of the disclosure. Second, any evaluation of whether to self-report will be materially altered if a mandatory report is required, even if that report is in another jurisdiction, given the clear commitment to sharing information between regulators in the United States and abroad. In other words, if a company is required to self-report in at least one jurisdiction, it should consider voluntarily disclosing in other jurisdictions given the likelihood that the government agencies will share information.

In May 2018, the DOJ announced a new formal policy to avoid ‘piling on’ penalties that are duplicative for the same misconduct. Under the policy, various US enforcement agencies must coordinate with each other and with foreign government agencies when reaching settlements with corporations. However, the DOJ has warned that companies looking to benefit from the new policy should self-disclose wrongdoing to the DOJ. When announcing the policy, Deputy Attorney General Rod Rosenstein specifically remarked that the DOJ ‘will not look kindly on companies that come to [the DOJ] after making inadequate disclosures to secure lenient penalties with other agencies or foreign governments. In those instances, the Department will act without hesitation to fully vindicate the interests of the United States.’^[4]

Case Studies: International Coordination in Enforcement
	Rolls-Royce	Keppel Offshore Marine
Background	Rolls-Royce plc is a UK-based engineering company. In its settlement with the DOJ, Rolls-Royce admitted it made over $35m in commission payments to third parties from 2000 to 2013, which were used to bribe foreign officials in a number of countries. In exchange, those foreign officials provided confidential information and awarded contracts to Rolls-Royce, its subsidiaries and affiliated entities. As part of its resolution with the UK prosecutor, Rolls-Royce also admitted paying bribes or failing to prevent bribery payments in connection with its business operations in various countries between 1989 and 2013. Although Rolls-Royce did not self-report, it did offer substantive co-operation during the investigation.	Keppel Offshore Marine (KOM), a Singaporean marine engineering firm with a private US subsidiary, allegedly bribed officials at Brazil’s state-owned oil company, Petrobras, to secure contracts earning it approximately $352m over 13 years. KOM admitted that between 2001 and 2014, it paid $55m in bribes to Brazilian officials through an intermediary, under the guise of legitimate consulting agreements. KOM received substantial credit for co-operation with the DOJ’s investigation and for its extensive remedial measures. The company received no credit for self-reporting because the DOJ already knew of the alleged conduct when it was reported as a result of the MPF’s existing investigation, which began in 2014, and public reporting of the allegations.
Enforcement	In December 2016, Rolls-Royce entered into a deferred prosecution agreement (DPA) with the DOJ in connection with a criminal information filed in the Southern District of Ohio. The company was charged with conspiracy to commit violations of the FCPA’s anti-bribery provisions. Rolls-Royce also entered into settlements with the Serious Fraud Office (SFO) in the UK and the Ministério Público Federal (MPF) in Brazil. In its press release, the DOJ acknowledged its appreciation of the significant assistance provided by the SFO, and further acknowledged its strong relationship with the SFO and MPF in the fight against corruption.	In August 2017, KOM in-house counsel Jeffrey Chow pleaded guilty to conspiracy to violate the FCPA. He faces five years in prison. KOM entered a DPA in connection with a criminal information filed in December 2017 in the Eastern District of New York charging it with conspiracy to violate the FCPA’s anti-bribery provisions. In related proceedings, the company settled with the MPF in Brazil and the Attorney General’s Chambers in Singapore. The case was the first coordinated FCPA resolution with Singapore, and one of several recently with Brazil. The DOJ reaffirmed its commitment to working with international partners to investigate and prosecute corruption.
Resolution	Rolls-Royce entered into a global settlement of more than $800m with authorities in the UK, the US and Brazil for bribery in Brazil, Thailand, China, India, Russia and other countries. Rolls-Royce entered a DPA with the DOJ and agreed to pay $170m in criminal penalties; a DPA with the SFO and agreed to pay a total fine of £497m; and a leniency agreement and agreed to pay the MPF $25.5m. The DOJ’s and SFO’s investigations of individuals is ongoing. The resolution is the largest-ever criminal enforcement action against a company in the UK.	Keppel Offshore agreed to a $422m global settlement with US, Brazilian and Singaporean authorities. KOM entered into a DPA with the DOJ, and its US subsidiary entered into a plea agreement. KOM was ordered to pay a criminal penalty of $105.5m to the US. KOM entered into a leniency agreement with the MPF and agreed to pay $211m to Brazil. KOM was issued a conditional warning in lieu of prosecution and agreed to pay $105.5m to Singapore.

4.2.1 Statutory and regulatory mandatory disclosure obligations

In the United States, most disclosure obligations originate in statute or regulations. Key examples include:

the Sarbanes-Oxley Act of 2002, which requires the disclosure of all information that has a material financial effect on a public company in periodic financial reports;
the US Bank Secrecy Act of 1970, which requires financial institutions to disclose certain suspicious transactions or currency transactions in excess of US$10,000;
the US Anti-Money Laundering Regulations, which require financial institutions to report actual or suspected money laundering under certain circumstances;^[5, 6]
state data breach regulations – 47 of 50 US states have laws requiring companies conducting business in the state to disclose data breaches involving personal information; and
the Anti-Kickback Enforcement Act of 1986, which requires government contractors to make a ‘timely notification’ of violations of federal criminal law or overpayments in connection with the award or performance of most federal government contracts or subcontracts, including those performed outside the United States.

4.2.2 Disclosure obligations under existing agreements with the government

In addition to statutory or regulatory-based mandatory disclosure requirements, companies must also evaluate whether they have any mandatory disclosure obligations under pre-existing agreements with the government. For example, if a company is subject to a deferred prosecution agreement (DPA) or corporate integrity agreement (CIA), these agreements often contain self-reporting mandates for any subsequent violations. In many cases, these agreements may require the appointment of independent monitors. While DPAs, CIAs and similar agreements have been used frequently in the United States, other countries are also now seeking to increase use of similar agreements to drive self-reporting and co-operation. Most notably, in the United Kingdom the Serious Fraud Office (SFO) entered into its first DPA, with Standard Bank, in late 2015 and has since entered into three additional DPAs.

4.2.3 Other sources of mandatory disclosure obligations

Individuals and companies may also have mandatory disclosure obligations as a result of private contractual agreements as well as membership in professional bodies. Such disclosures between private parties may lead to a disclosure to a regulator by the receiving entity. For example, a subcontractor may be obliged by contract to report issues to the contracting party. That contracting party may subsequently determine that it is subject to its own reporting obligation or may in turn choose to self-report to reduce any potential liability.

4.3 Voluntary self-reporting to authorities

While the DOJ and the US Securities and Exchange Commission (SEC) consider several factors in deciding how to proceed with and resolve investigations and enforcement actions in cases involving corporations, self-reporting and co-operation are important factors for both agencies. Whether to voluntarily self-report to US authorities is a fact-intensive and holistic inquiry. There is no one-size-fits-all approach to this analysis, but those contemplating voluntarily disclosing misconduct to US authorities should keep certain considerations in mind.

Key Considerations in Resolving Enforcement Actions
US Department of Justice	US Securities and Exchange Commission
• Self-disclosure and willingness to co-operate in the investigation • Pervasiveness of wrongdoing within the corporation • Existence and effectiveness of a compliance programme • Meaningful remedial actions	• Self-reporting and investigation of misconduct • Effective compliance procedures and appropriate tone at the top • Whether the case involves a potentially widespread industry practice • Whether the conduct is ongoing

4.3.1 Advantages of voluntarily self-reporting

The primary benefit to self-reporting is to secure potentially reduced penalties through earned co-operation credit and, moreover, to maintain the opportunity to control the flow of information to regulators. In recent years, US regulators have become increasingly vocal about the benefits of self-disclosure and co-operation, with the DOJ even formalising the benefits available to self-disclosing companies first, in its FCPA Pilot Program (Pilot Program),^[7] and subsequently the FCPA Corporate Enforcement Policy. Most recently, the former Attorney General, Jeff Sessions, indicated that, when making charging decisions, the DOJ will continue to take into consideration whether companies co-operate and self-disclose their wrongdoing.^[8] Yet, co-operation, which inevitably goes hand in hand with a voluntary disclosure, imposes significant demands on corporations and is not without meaningful risk.

4.3.1.1 DOJ co-operation credit

To encourage self-reporting and co-operation, the DOJ has issued and subsequently revised guidance on the subject for many years. In June 1999, the DOJ issued the Principles of Federal Prosecution of Business Organizations, now known as the ‘Holder Memorandum’, to articulate and standardise the factors to be considered by federal prosecutors in making charging decisions against corporations.^[9] The Holder Memorandum instructed DOJ prosecutors to consider as a factor in bringing charges whether a corporation has timely and voluntarily disclosed wrongdoing and whether it has been willing ‘to cooperate in the investigation of its agents.’^[10] In 2008, the then Deputy Attorney General, Mark R Filip, added language to the US Attorneys’ Manual, now titled the Justice Manual,^[11] maintaining that when assessing a corporation’s co-operation, a prosecutor may consider ‘the corporation’s willingness to provide relevant information and evidence and identify relevant actors within and outside the corporation, including senior executives.’^[12] Mr Filip also outlined in his memorandum nine factors on which prosecutors base their corporate charging and resolution decisions, the so-called ‘Filip Factors’, that incorporated some of the language provided initially by Holder in 1999 (Filip Factor Four, a corporation’s ‘willingness to cooperate in the investigation of [its] agents’), and the addition of Filip Factor Eight: ‘the adequacy of prosecution of individuals responsible for the corporation’s malfeasance.’^[13]

The Yates Memorandum

Building on the prior DOJ guidance, former Deputy Attorney General Sally Quillian Yates issued the Memorandum of Individual Accountability for Corporate Wrongdoing, now known as the ‘Yates Memorandum’, in September 2015.^[14] The Yates Memorandum is still operative and outlines the ‘six key steps’ prosecutors should take in all investigations of corporate wrongdoing.^[15] Some of these steps represent significant – though not drastic – policy changes, whereas others are simply a memorialisation of best practices that have already been in place in various United States Attorney’s Offices across the country. The most significant policy shift in the Yates Memorandum concerns the relationship between a company’s co-operation with respect to individual wrongdoers and the company’s eligibility to receive co-operation credit. Previously, Filip Factor Four weighed the provision of information regarding culpable individuals as one consideration among many. Under the Yates Memorandum, the identification of responsible individuals is now a ‘threshold requirement’ for receiving any co-operation credit consideration.^[16] On 20 April 2017, then Acting Principal Deputy Assistant Attorney General Trevor N McFadden indicated that the DOJ continues to prioritise the prosecutions of individuals, echoing former Attorney General Jeff Sessions’s emphasis on the importance of individual accountability for corporate misconduct.^[17]

By making full disclosure and co-operation with regard to individuals a prerequisite for any co-operation credit for the company, the DOJ has raised the stakes. Ms Yates emphasised that a failure to conduct a robust internal investigation is not an excuse, stating that ‘[c]ompanies may not pick and choose what facts to disclose.’^[18] At face value, the Yates Memorandum and Ms Yates’s accompanying remarks suggest that a company could conduct a diligent and thorough investigation that still fails to identify culpable individuals despite the best efforts of the company. However, subsequent public statements by Ms Yates and former Assistant Attorney General Leslie Caldwell emphasised the DOJ’s willingness to use appropriate discretion. The revised Justice Manual reflects this consideration, noting: ‘There may be circumstances where, despite its best efforts to conduct a thorough investigation, a company genuinely cannot get access to certain evidence or is actually prohibited from disclosing it to the government.’^[19] However, the Justice Manual is clear that in such cases ‘the company seeking cooperation will bear the burden of explaining the restrictions it is facing to the prosecutor.’^[20] Consequently, the importance of thorough and properly scoped internal investigations has never been greater.

DOJ FCPA Pilot Program and Corporate Enforcement Policy

In April 2016, the DOJ announced through the Fraud Section’s revised FCPA Enforcement Plan and Guidance that it was launching a one-year Pilot Program to enhance its efforts to detect and prosecute individuals and companies for violations of the FCPA.^[21] The Pilot Program was extended for an additional year on 10 March 2017. On 29 November 2017, Deputy Attorney General Rod Rosenstein publicly applauded the Pilot Program, which endeavoured to incentivise voluntary self-disclosure of misconduct, as a ‘step forward in fighting corporate crime’.^[22] Noting that in the 18 months during which the Pilot Program was in effect, the DOJ’s FCPA Unit received 30 voluntary disclosures, compared with 18 in the previous 18-month period, Rosenstein announced that the DOJ would be incorporating a revised FCPA Corporate Enforcement Policy into the Justice Manual.^[23] On 1 March 2018, the DOJ announced that it would apply the Corporate Enforcement Policy as non-binding guidance in criminal cases outside the FCPA context.^[24] In light of this recent development, the Corporate Enforcement Policy provides valuable guidance to corporations as they investigate misconduct and contemplate voluntary disclosure.

The Pilot Program set forth specific factors that a company had to meet to earn credit for voluntary self-disclosure, which remain in place under the Corporate Enforcement Policy. The disclosure (1) must not be mandated by any law, agreement or contract; (2) must occur prior to an imminent threat of disclosure or government investigation; (3) must be disclosed within a reasonably prompt time after the company becomes aware of the offence; and (4) must include all relevant facts known to the company, including all relevant facts about the individuals involved in any FCPA violation.^[25] Both programmes contain specific guidance on the steps a company must take to earn full co-operation credit and to provide timely and appropriate remediation, noting that such steps are consistent with the Yates Memorandum and the Justice Manual’s Sentencing Guidelines.

Compared with the Pilot Program, the Corporate Enforcement Policy enhances the benefits available to a company that satisfies all the requirements for voluntary self-disclosure, co-operation and remediation. Under both programmes, companies that fully co-operate with DOJ investigations and implement appropriate remediation in FCPA matters, but that do not voluntarily self-disclose, will be eligible for limited credit, at most a 25 per cent reduction off the bottom of the Sentencing Guidelines fine range. However, when a company has voluntarily self-disclosed, fully co-operated with the DOJ, and has timely and appropriately remediated, the Corporate Enforcement Policy creates a rebuttable presumption, which may be overcome by ‘aggravated circumstances’ related to the nature and seriousness of the offence, that the DOJ will grant a declination.^[26] In contrast, the Pilot Program provided that the DOJ would ‘consider’ a declination for companies that met these requirements.^[27] Under the new Policy, if the presumption is overcome and a criminal resolution is warranted, DOJ will recommend a 50 per cent reduction off the low end of the Sentencing Guidelines fine range and generally will not require the appointment of a monitor if the company has, at the time of resolution, implemented an effective compliance programme.^[28] The DOJ issued seven public declinations under the Pilot Program,^[29] a trend that appears to be continuing under the Corporate Enforcement Policy.

On 23 April 2018, the DOJ issued its first declination under the new FCPA Corporate Enforcement Policy. The DOJ declined to prosecute commercial data and analystics provider Dun & Bradstreet in relation to bribery committed by employees of the company’s subsidiaries in China.^[30] The DOJ stated that the company fulfilled the Enforcement Policy’s requirements through (1) prompt voluntary self-disclosure of the misconduct, (2) thorough internal investigation, and (3) thorough co-operation and remediation. Among other things, the DOJ specifically acknowledged Dun & Bradstreet’s identification of individuals involved in the misconduct, sharing all relevant facts, making current and former employees available for interviews, providing translations of foreign language documents into English, compliance programme and internal accounting controls enhancements, remedial actions against individuals including termination of employees involved in the misconduct (including an officer of the China subsidiary and other senior employees), and disgorgement of profits through a resolution with the SEC. The SEC separately ordered Dun & Bradstreet to pay disgorgement of over US$6 million, prejudgment interest of over US$1.1 million, and a civil penalty of US$2 million.^[31] Dun & Bradstreet did not admit or deny the allegations. According to its order, the SEC considered Dun & Bradstreet’s self-disclosure, co-operation and remedial efforts in reaching the agreement. The Dun & Bradstreet declination illustrates that the DOJ under the new administration will continue to recognise companies’ efforts at co-operation and self-disclosure.

The Pilot Program and its codification as the Corporate Enforcement Policy has demonstrated the DOJ’s commitment rewarding voluntary self-disclosure in FCPA enforcement, and by many accounts has been viewed as very successful.

Benczkowski Memorandum

As part of its ongoing effort to update and clarify its corporate enforcement policies, in October 2018, the DOJ issued new guidance on imposing corporate compliance monitors. Assistant Attorney General Brian Benczkowski outlined the new guidance in a speech at the NYU School of Law Program on Corporate Compliance and Enforcement Conference on Achieving Effective Compliance,^[32] which was followed by an official memorandum (the Benczkowski Memorandum).^[33] The new policy supplements the 2008 Morford Memorandum, which outlined the principles on selection, scope and duration of monitorships, and supersedes the guidance contained in the 2009 Breuer Memorandum on imposing corporate monitors. Mr Benczkowski explained that the goal of the new guidance was to ‘further refine the factors that go into the determination of whether a monitor is needed, as well as clarify and refine the monitor selection process.’

Under the Benczkowski Memorandum, the potential benefits of employing a corporate monitor should be weighed against the cost of a monitor and its impact on the operations of the corporation. In making a determination to impose a corporate monitor, the DOJ will consider a number of factors, including the type of misconduct, the pervasiveness of the conduct and whether it involved senior management, the investments and improvements a company has made to its corporate compliance programme and internal controls, and whether those improvements have been tested to demonstrate that they would prevent or detect similar misconduct in the future. Other factors include whether remedial actions were taken against individuals involved, and the industry and geography in which the company operates and the nature of the company’s clientele. The Benczkowski Memorandum provides that ‘Where a corporation’s compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will not be necessary.’^[34]

The guidelines are clearly intended to complement the goals articulated in the Corporate Enforcement Policy, giving companies greater incentives to self-disclose and co-operate with DOJ investigations of corporate wrongdoing. A key feature of the Benczkowski Memorandum is that companies can receive meaningful credit, namely avoiding a compliance monitor, by engaging in extensive remediation of their compliance programmes.

4.3.1.2 SEC co-operation credit

Although it can be difficult to precisely quantify the benefit of co-operation with the SEC, the Commission will consider general principles of sentencing, especially general deterrence. In both public statements and in practice, the Commission has made clear that companies can receive significant leniency for full co-operation. During a speech on 9 May 2018, SEC Enforcement Division Co-Director Steven Peikin emphasised the importance of co-operation, noting that the SEC would continue to provide ‘incentives to those who come forward and provide valuable information’ to the SEC.^[35]

While the SEC has not entered into any non-prosecution agreements (NPAs) since 2016 and has only entered into three NPAs since their inception in 2010,^[36] the SEC nevertheless signalled its continued commitment to using NPAs to reward co-operation through its proposed whistleblower rule amendments. Specifically, the proposed rule amendments would allow the SEC to make award payments to whistleblowers based on money collected as a result of DPAs and NPAs, to ‘ensure that whistleblowers are not disadvantaged because of the particular form of an action’ that the SEC or another regulator takes.^[37] The SEC will, however, set a high bar before entering into an NPA in an FCPA enforcement action. With respect to NPAs entered into with Akamai Technologies, Inc and Nortek, Inc in 2016, Kara Brockmeyer, former Chief of the SEC Enforcement Division’s FCPA Unit, stated that ‘Akamai and Nortek each promptly tightened their internal controls after discovering the bribes and took swift remedial measures to eliminate the problems. They handled it the right way and got expeditious resolutions as a result.’^[38]

4.4 Risks in voluntarily self-reporting

While self-disclosure can reap significant monetary benefits, a company must balance the potential risks against any potential benefit. Self-reporting can give rise to lengthy co-operation obligations and increased government scrutiny. As discussed above, the multi-jurisdictional nature of many ‘white-collar’ matters means that self-reporting may lead to enquiries from global regulators, differing resolutions and ongoing obligations.

Furthermore, the DOJ is likely to impose a stringent bar when evaluating the sufficiency of compliance programmes to determine whether the requirements of the Corporate Enforcement Policy are met or to otherwise reduce liability. In November 2015, the DOJ hired an experienced former in-house compliance officer, Hui Chen, to serve as its Compliance Counsel, to assist prosecutors with the assessment of companies’ compliance programmes.^[39]

Although Chen resigned from her position in June 2017,^[40] during her tenure she helped to formalise the DOJ’s guidance to companies who may find themselves under investigation or faced with the decision whether to make a voluntary disclosure. On 8 February 2017, the DOJ published revised guidance for companies called ‘Evaluation of Corporate Compliance Programs’ (the Guidance). The Guidance is composed of 119 common questions that the DOJ asks when evaluating a company’s compliance programme. The Guidance focuses on three overarching areas: (1) company culture, (2) compliance structure and resources, and (3) effectiveness of company policies and procedures. This third category received considerable attention in the Guidance.

Although the content of the Guidance is largely familiar to practitioners, it does give a clearer picture of the DOJ’s current approach to corporate compliance. The issuance of the Guidance underscores the DOJ’s renewed focus on the operation, rather than the appearance, of corporate compliance programmes. The Guidance suggests that companies should expect to be asked detailed and challenging questions regarding the scope and effectiveness of their compliance programmes. If a company’s compliance programme fails to withstand such scrutiny, it risks losing credit for the programme, paying higher penalties or even facing separate violations for inadequate internal controls. While the Guidance remains in place even after Ms Chen’s departure, the DOJ has eliminated the Compliance Counsel role. Instead, Assistant Attorney General Benczkowski said, the DOJ will focus on ‘building a team of attorneys who offer diverse skill-sets’, including compliance experience. ^[41]

Taking these existing increasingly stringent co-operation standards into consideration, companies considering self-disclosure should carefully assess whether they can meet regulator expectations. If companies fall short, regulators may refuse co-operation credit and use the information obtained through the self-disclosure against the company.

4.5 Risks in choosing not to self-report

US regulators have vocally warned that the potential downside of not self-reporting any violation could be significant where the matter is otherwise brought to their attention. In a 5 July 2018 press release announcing an NPA with a Hong Kong-based subsidiary of Credit Suisse Group AG to resolve an investigation into ‘princeling’ hiring by the bank, the DOJ noted certain steps the firm did not take that limited the amount of co-operation credit it received. Specifically, the bank did not receive voluntary disclosure credit and did not receive full co-operation credit because its ‘cooperation was reactive and not proactive.’^[42]

Consequently, companies should carefully consider the likelihood that the conduct will be discovered by other means. It is important to consider whether other industry players could affect the company’s position. Industry-wide trends may expose a company’s misconduct. If regulators undertake an industry-wide investigation into particular practices, which we have observed in recent years with pharmaceutical companies, medical device manufacturers and automobile companies, a company might be exposed by a competitor’s self-report or more passively through a third-party subpoena or any investigative demand.

Companies should also be sensitive to increasing whistleblower activity. Current or former employees are incentivised to report potential misconduct to US regulators, which has led to substantial recoveries for the government. The SEC’s whistleblower programme has only been in place for a few years, but has been steadily active so far with 57 whistleblower awards, totalling more than US$320 million in payouts up to October 2018. Whistleblowers are eligible to receive awards between 10 per cent and 30 per cent of the money recovered if their ‘high-quality original information’ leads to enforcement actions in which the SEC orders at least US$1 million.^[43] The programme continues to be a priority for the Commission. In March 2018, the SEC announced its largest-ever whistleblower award, with two whistleblowers sharing nearly US$50 million and a third receiving more than US$33 million. Previously, the highest award had been US$30 million, awarded to a non-US resident in September 2014.^[44] In September 2018, the SEC awarded its second-highest whistleblower award of US$39 million to one whistleblower, with a second receiving US$15 million.^[45] It is therefore important that a company consider the real possibility that its conduct could be exposed by means other than voluntary self-disclosure, and the associated, often expensive, risks associated with not being the first to come forward.

When deciding not to self-report, a company must ensure that the decision is appropriately considered and documented. If a company decides not to self-report and the government later enquires about the issue, the best defence is that the company conducted a thorough investigation, remediated the issue and had a reasonable basis for not self-reporting to the government. US regulators will look to a company’s board of directors to ensure the appropriate steps were taken.^[46] The SEC has expressed that the board of directors must exercise oversight and set a strong ‘tone at the top’ emphasising the importance of compliance.

Footnotes

¹Amanda Raad is a partner, Sean Seelinger and Arefa Shakeel are counsel, and Jaime Orloff Feeney and Zaneta Wykowska are associates at Ropes & Gray LLP.

²Serious Fraud Office (SFO) v. Eurasian Natural Resources Corporation Ltd [2017] EWHC 1017 (QB) 8 May 2017.

³See ‘Société Générale S.A. Agrees to Pay $860 Million in Criminal Penalties for Bribing Gaddafi-Era Libyan Officials and Manipulating LIBOR Rate’, available at https://www.justice.gov/opa/pr/soci-t-g-n-rale-sa-agrees-pay-860-million-criminal-penalties-bribing-gaddafi-era-libyan.

⁴See ‘Deputy Attorney General Rod Rosenstein Delivers Remarks to the New York City Bar White Collar Crime Institute’, available at https://www.justice.gov/opa/speech/deputy-attorney-general-
rod-rosenstein-delivers-remarks-new-york-city-bar-white-collar.

⁵See, e.g., 31 U.S.C. 5318(g).

⁶These requirements are far more limited, however, than those in the United Kingdom under the Proceeds of Crime Act, which imposes broad suspicious activity report filing requirements on all parties in the regulated sector, including financial institutions, lawyers and accountants, upon the knowledge or reasonable suspicion of money laundering. Part 7 of the Proceeds of Crime Act 2002 ss.327-329.

⁷For more details see, ‘The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance’ available at https://www.justice.gov/opa/file/838386/download. (FCPA Enforcement Plan and Guidance).

⁸See ‘Attorney General Jeff Sessions Delivers Remarks at Ethics and Compliance Initiative Annual Conference’, available at https://www.justice.gov/opa/speech/attorney-general-jeff-sessions
-delivers-remarks-ethics-and-compliance-initiative-annual.

⁹Memorandum from Eric Holder, Deputy Attorney Gen., Dep’t of Justice, on Bringing Criminal Charges Against Corps. to Dep’t Component Heads and U.S. Attorneys (16 June 1999) (Holder Memorandum), available at https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2010/04/11/charging-corps.PDF.

¹⁰Id. at 3 (listing eight factors prosecutors should consider in deciding whether to bring charges against corporations that include ‘[t]he corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents . . . .’).

¹¹Justice Manual §§ 9-28.000.

¹²Id. §§ 9-28.700 – Value of Cooperation.

¹³Memorandum from Deputy Attorney General Mark Filip to Heads of Department Components and United States Attorneys, Principles of Federal Prosecution of Business Organizations (28 August 2008), at 4.

¹⁴Yates Memorandum, Department of Justice, 9 September 2015, available at http://www.justice.gov/
dag/file/769036/download at 3.

¹⁵The DOJ revised the section of the Justice Manual titled ‘Principles of Federal Prosecution of Business Organizations’ in November 2015 to reflect these steps.

¹⁶Justice Manual § 9-28.700 (2015).

¹⁷See Acting Principal Deputy Assistant Attorney General Trevor N. McFadden of the Justice Department’s Criminal Division Speaks at ACI’s 19th Annual Conference on Foreign Corrupt Practices Act, available at https://www.justice.gov/opa/speech/acting-principal-deputy-assistant-
attorney-general-trevor-n-mcfadden-justice-department-s.

¹⁸Yates Memorandum at 3.

¹⁹Justice Manual § 9-28.700.

²⁰Id.

²¹See FCPA Enforcement Plan and Guidance, supra note 7.

²²See ‘Deputy Attorney General Rosenstein Delivers Remarks at the 34th International Conference on the Foreign Corrupt Practices Act’, available at https://www.justice.gov/opa/speech/deputy-attorney-general-rosenstein-delivers-remarks-34th-international-conference-foreign.

²³See FCPA Corporate Enforcement Policy, U.S. Dep’t of Justice, Justice Manual 9-47.120 available at https://www.justice.gov/criminal-fraud/file/838416/download (Corporate Enforcement Policy).

²⁴See Jody Godoy, DOJ Expands Leniency Beyond FCPA, Lets Barclays Off (Law360), 1 March 2018, https://www.law360.com/articles/1017798/doj-expands-leniency-beyond-
fcpa-lets-barclays-off.

²⁵FCPA Enforcement Plan and Guidance.

²⁶Corporate Enforcement Policy at Section 1. ‘Aggravating circumstances that may warrant a criminal resolution include, but are not limited to, involvement by executive management of the company in the misconduct; a significant profit to the company from the misconduct; pervasiveness of the misconduct within the company; and criminal recidivism.’

²⁷FCPA Enforcement Plan and Guidance at 8-9.

²⁸Corporate Enforcement Policy at Section 1. The Enforcement Policy provides specific guidance on the criteria for evaluating a corporate compliance programme, while also noting that the criteria may vary based on the size and resources of an organisation. Factors listed in the policy include culture of compliance, compliance resources, the quality and experience of compliance resources, independence and authority of the compliance function, effective risk assessments and risk-based approach, compensation and promotion of compliance employees, compliance-related auditing, and compliance reporting structure.

²⁹See https://www.justice.gov/criminal-fraud/pilot-program/declinations.

³⁰See https://www.justice.gov/criminal-fraud/file/1055401/download.

³¹See https://www.sec.gov/litigation/admin/2018/34-83088.pdf.

³²See ‘Assistant Attorney General Brian A. Benczkowski Delivers Remarks at NYU School of Law Program on Corporate Compliance and Enforcement Conference on Achieving Effective Compliance’ available at https://www.justice.gov/opa/speech/assistant-attorney-general-brian-
benczkowski-delivers-remarks-nyu-school-law-program.

³³See Benczkowski Memorandum, Department of Justice, 11 October 2018, available at https://www.justice.gov/opa/speech/file/1100531/download.

³⁴Benczkowski Memorandum at 2.

³⁵See ‘Keynote Address at the New York City Bar Association’s 7th Annual White Collar Crime Institute’, available at https:// www.sec.gov/news/speech/speech-peikin-050918.

³⁶The SEC announced its first NPA in an FCPA case in 2013, when it entered into an NPA with Ralph Lauren Corporation relating to bribes paid to government officials in Argentina. See ‘SEC Announces Non-Prosecution Agreement With Ralph Lauren Corporation Involving FCPA Misconduct’ available at https://www.sec.gov/news/press-release/2013-2013-65htm. The SEC announced its second and third NPAs on 7 June 2016, declining to prosecute US-based internet services provider Akamai Technologies, Inc. and US-based residential and commercial building products manufacturer Nortek, Inc. See ‘SEC Announces Two Non-Prosecution Agreements in FCPA Cases’ available at https://www.sec.gov/news/pressrelease/2016-109.html.

³⁷See ‘SEC Proposes Whistleblower Rule Amendments’ available at https://www.sec.gov/news/press-release/2018-120.

³⁸See ‘SEC Announces Two Non-Prosecution Agreements in FCPA Cases’, available at https://www.sec.gov/news/pressrelease/2016-109.html.

³⁹https://www.justice.gov/criminal-fraud/file/790236/download.

⁴⁰See ‘DOJ Corporate Compliance Watchdog Resigns Citing Trump’s Conduct’, available at
http://thehill.com/homenews/administration/340472-doj-corporate-compliance-watchdog-
resigns-cites-trumps-conduct.

⁴¹See ‘Criminal division scraps compliance counsel, unveils new hiring strategy’ available at https://globalinvestigationsreview.com/article/jac/1175603/criminaldivision-scrapscompliance-
counselunveils-new-hiringstrategy.

⁴²See ‘Credit Suisse’s Investment Bank in Hong Kong Agrees to Pay $47 Million Criminal Penalty for Corrupt Hiring Scheme that Violated the FCPA’, available at https://www.justice.gov/opa/pr/credit-suisse-s-investment-bank-hong-kong-agrees-pay-47-million-criminal-penalty-corrupt.

⁴³More information is available at the SEC’s ‘Office of the Whistleblower’ site at
https://www.sec.gov/whistleblower.

⁴⁴See ‘SEC Announces Its Largest-Ever Whistleblower Awards’ available at https://www.sec.gov/ news/press-release/2018-44.

⁴⁵See ‘SEC Awards More Than $54 Million to Two Whistleblowers’ available at https://www.sec.gov/news/press-release/2018-179.

⁴⁶Notification of the board of directors is often required under US law. Section 307 of the Sarbanes-Oxley Act of 2002 requires that an attorney report evidence of a material violation of securities laws or breach of fiduciary duty by the company or any agent ‘up-the-ladder’ (i.e., first to the chief legal officer or CEO and, thereafter, if appropriate remedial measures are not taken, to the audit committee of the board or other board committee comprised solely of non-employee directors). Wherever possible, it is best to engage the board’s disclosure counsel to assist in making this determination.