Self-Reporting to the Authorities and Other Disclosure Obligations: The US Perspective

4.1         Introduction

While there is typically no formal obligation in the United States to disclose potential wrongdoing to enforcement authorities, there can often be strategic advantages to doing so. Indeed, in some cases, subjects of investigations may avoid some of the most adverse consequences by self-reporting, including reduced penalties and more favourable settlement terms. Additionally, companies in certain regulated sectors may avoid potential debarment even where clear violations occurred. Moreover, US regulators have increasingly been incentivising companies to self-report by offering potential co-operation credit for doing so. However, while the US enforcement regime has created a substantial historical record to analyse, the unique circumstances of each case, as well as changing principles and priorities of regulators, make quantifying such strategic advantages difficult.

4.2         Mandatory self-reporting to authorities

Prior to considering whether to make a voluntary disclosure, it is important for at least two reasons to determine whether the company has any potential mandatory reporting obligation. First, mandatory reporting obligations often contain specific requirements with respect to the recipient, form, timing and content of the disclosure. Second, any evaluation of whether to self-report will be materially altered if a mandatory report is required, even if that report is in another jurisdiction, given the clear commitment to sharing information between regulators in the United States and abroad. In other words, if a company is required to self-report in at least one jurisdiction, it should consider voluntarily disclosing in other jurisdictions given the likelihood that the government agencies will share information.

Indeed, cross-border collaboration has significantly increased in recent years. In April 2016, Andrew Weissmann, the chief of the Fraud Section at the US Department of Justice (DOJ), remarked that companies should expect that the DOJ will inform its foreign counterparts of potential violations of law, even if those violations are self-reported. Weissmann also noted that international regulators will co-operate to divide fines instead of piggybacking on each other’s cases.¹

4.2.1      Statutory and regulatory mandatory disclosure obligations

In the United States, most disclosure obligations originate in statute or regulations. Key examples include:

• the Sarbanes-Oxley Act of 2002, which requires the disclosure of all information that has a material financial effect on a public company in periodic financial reports;
• the US Bank Secrecy Act of 1970, which requires financial institutions to disclose certain suspicious transactions or currency transactions in excess of US$10,000;
• the US Anti-Money Laundering Regulations, which require financial institutions to report actual or suspected money laundering under certain circumstances;², ³
• state data breach regulations – 47 of 50 US states have laws requiring companies conducting business in the state to disclose data breaches involving personal information; and
• the Anti-Kickback Enforcement Act of 1986, which requires government contractors to make a ‘timely notification’ of violations of federal criminal law or overpayments in connection with the award or performance of most federal government contracts or subcontracts, including those performed outside the United States.

4.2.2      Disclosure obligations under existing agreements with the government

In addition to statutory or regulatory-based mandatory disclosure requirements, companies must also evaluate whether they have any mandatory disclosure obligations under pre-existing agreements with the government. For example, if a company is subject to a deferred prosecution agreement (DPA) or corporate integrity agreement (CIA), these agreements often contain self-reporting mandates for any subsequent violations. In many cases, as discussed in depth in Chapter 28 on monitorships, these agreements may require the appointment of independent monitors. While DPAs, CIAs, and similar agreements have been used frequently in the United States, other countries are also now seeking to increase use of similar agreements to drive self-reporting and co-operation. Most notably, in the United Kingdom the Serious Fraud Office (SFO) entered into its first DPA, with Standard Bank, in late 2015.

4.2.3      Other sources of mandatory disclosure obligations

Individuals and companies may also have mandatory disclosure obligations as a result of private contractual agreements as well as membership in professional bodies. Such disclosures between private parties may lead to a disclosure to a regulator by the receiving entity. For example, a subcontractor may be obliged by contract to report issues to the contracting party. That contracting party may subsequently determine that it is subject to its own reporting obligation or may in turn choose to self-report to reduce any potential liability.

4.3         Voluntary self-reporting to authorities

While the DOJ and the US Securities and Exchange Commission (SEC) consider several factors in deciding how to proceed with and resolve investigations and enforcement actions in cases involving corporations, self-reporting and co-operation are important factors for both agencies. Whether to voluntarily self-report to US authorities is a fact-intensive and holistic inquiry. There is no one-size-fits-all approach to this analysis, but those contemplating voluntarily disclosing misconduct to US authorities should keep certain considerations in mind.

4.3.1      Advantages of voluntarily self-reporting

The primary benefit to self-reporting is to secure potentially reduced penalties through earned co-operation credit and, moreover, to maintain the opportunity to control the flow of information to regulators. In recent years, US regulators have become increasingly vocal about the benefits of self-disclosure and co-operation, with the DOJ even formalising the benefits available to self-disclosing companies, most recently in its one-year Foreign Corrupt Practices Act (FCPA) Pilot Program (Pilot Program).⁴ Yet, co-operation, which inevitably goes hand in hand with a voluntary disclosure, imposes significant demands on corporations and is not without meaningful risk.

4.3.1.1    DOJ co-operation credit

To encourage self-reporting and co-operation, the DOJ has issued and subsequently revised guidance on the subject for many years. In June 1999, the DOJ issued the Principles of Federal Prosecution of Business Organizations, now known as the ‘Holder Memorandum’, to articulate and standardise the factors to be considered by federal prosecutors in making charging decisions against corporations.⁵ The Holder Memorandum instructed DOJ prosecutors to consider as a factor in bringing charges whether a corporation has timely and voluntarily disclosed wrongdoing and whether it has been willing ‘to cooperate in the investigation of its agents.’⁶ In 2008, the then Deputy Attorney General, Mark R Filip, added language to the US Attorneys’ Manual (USAM),⁷ maintaining that when assessing a corporation’s co-operation, a prosecutor may consider ‘the corporation’s willingness to provide relevant information and evidence and identify relevant actors within and outside the corporation, including senior executives.’⁸ Mr Filip also outlined in his memorandum nine factors on which prosecutors base their corporate charging and resolution decisions, the so-called ‘Filip Factors’, that incorporated some of the language provided initially by Holder in 1999 (Filip Factor Four, a corporation’s ‘willingness to cooperate in the investigation of its agents’), and the addition of Filip Factor Eight: ‘the adequacy of prosecution of individuals responsible for the corporation’s malfeasance.’⁹

The Yates Memorandum

Building on the prior DOJ guidance, Deputy Attorney General Sally Quillian Yates issued the Memorandum of Individual Accountability for Corporate Wrongdoing, now known as the ‘Yates Memorandum’, in September 2015.¹⁰ The Yates Memorandum outlines the ‘six key steps’ prosecutors should take in all future investigations of corporate wrongdoing.¹¹ Some of these steps represent significant – though not drastic – policy changes, whereas others are simply a memorialisation of best practices that have already been in place in various United States Attorney’s Offices across the country. The most significant policy shift in the Yates Memorandum concerns the relationship between a company’s co-operation with respect to individual wrongdoers and the company’s eligibility to receive co-operation credit. Previously, the Filip Factor Four weighed the provision of information regarding culpable individuals as one consideration among many. Following the Yates Memorandum’s directives, the identification of responsible individuals is now a ‘threshold requirement’ for receiving any co-operation credit consideration.¹²

As discussed in more detail in Chapter 10 on co-operating with authorities, by making full disclosure and co-operation with regard to individuals a prerequisite for any co-operation credit for the company, the DOJ has raised the stakes. Deputy Attorney General Yates emphasised that a failure to conduct a robust internal investigation is not an excuse, stating that ‘^companies may not pick and choose what facts to disclose.’¹³ At face value, the Yates Memorandum and Deputy Attorney General Yates’s accompanying remarks suggest that a company could conduct a diligent and thorough investigation that still fails to identify culpable individuals despite the best efforts of the company. However, subsequent public statements by Deputy Attorney General Yates and Assistant Attorney General Leslie Caldwell have emphasised the DOJ’s willingness to use appropriate discretion. The revised USAM reflects this consideration, noting: ‘There may be circumstances where, despite its best efforts to conduct a thorough investigation, a company genuinely cannot get access to certain evidence or is actually prohibited from disclosing it to the government.’¹⁴ However, the USAM is clear that in such cases ‘the company seeking cooperation will bear the burden of explaining the restrictions it is facing to the prosecutor.’¹⁵ Consequently, the importance of thorough and properly scoped internal investigations has never been greater.

One-Year FCPA Pilot Program

In April 2016, the DOJ announced through the Fraud Section’s revised FCPA Enforcement Plan and Guidance that it was launching a one-year Pilot Program to enhance its efforts to detect and prosecute individuals and companies for violations of the FCPA.¹⁶ Among other things, the Pilot Program endeavours to further increase coordination with foreign counterparts, recognising the multi-jurisdictional nature of most FCPA cases, and to provide greater transparency about what the DOJ already requires from companies seeking mitigation credit for voluntarily self-disclosing misconduct, fully co-operating with an investigation and remediating.

The Pilot Program sets forth specific factors that must be met for a company to earn credit for voluntary self-disclosure. The disclosure (1) must not be mandated by any law, agreement or contract; (2) must occur prior to an imminent threat of disclosure or government investigation; (3) must be disclosed within a reasonably prompt time after the company becomes aware of the offence; and (4) must include all relevant facts known to the company, including all relevant facts about the individuals involved in any FCPA violation.¹⁷ The Pilot Program also provides specific guidance on the steps a company must take to earn full co-operation credit and to provide timely and appropriate remediation, noting that such steps are consistent with the Yates Memorandum and the USAM’s Sentencing Guidelines.

The FCPA Enforcement Plan and Guidance also sets forth the benefits available to companies under the Pilot Program, and the credit available to companies that meet the conditions for disclosure makes clear that the DOJ deeply values a company’s voluntary self-disclosure. Under the Pilot Program, companies that fully co-operate with DOJ investigations and implement appropriate remediation in FCPA matters, but that do not voluntarily self-disclose, will be eligible for limited credit, at most a 25 per cent reduction off the bottom of the Sentencing Guidelines fine range. However, when a company has voluntarily self-disclosed, fully co-operated with the DOJ, and has timely and appropriately remediated, the company will qualify for the full range of potential mitigation credit. This means that if a criminal resolution is warranted, the Fraud Section’s FCPA Unit ‘may accord up to a 50 per cent reduction off the bottom end of the Sentencing Guidelines fine range, if a fine is sought; and generally should not require appointment of a monitor if a company has, at the time of the resolution, implemented an effective compliance programme.’¹⁸ Depending on the seriousness of the offence and whether the company has resolved other matters with the DOJ within the past five years, the FCPA Unit may also consider a declination of prosecution, though companies would still be required to disgorge all profits resulting from the FCPA violation.¹⁹

The Pilot Program sends a clear message that the DOJ deeply encourages voluntary self-disclosure and will reward companies that come forward with timely and complete information, at least for the next year until it is re-evaluated. As currently formulated, the Pilot Program is available to companies negotiating potential resolutions with the DOJ, even if their initial disclosures were made prior to the announcement of the Pilot Program.²⁰

On 7 June 2016, the DOJ issued its first declinations under the Pilot Program.²¹ The DOJ declined to prosecute US-based cloud computing and content delivery network company, Akamai Technologies, Inc (Akamai), and US-based residential and commercial building products manufacturer Nortek, Inc (Nortek) for unrelated FCPA violations by their Chinese subsidiaries.²² The DOJ stated that both companies fulfilled the Pilot Program’s requirements through (1) prompt voluntary self-disclosure of the misconduct, (2) thorough internal investigation, and (3) thorough co-operation and remediation. Among other factors, the DOJ specifically acknowledged both companies’ identification of all individuals involved in the misconduct, sharing of all relevant facts, compliance programme and internal accounting controls enhancements, voluntary translation of documents from Chinese into English, voluntarily making witnesses in China available for interviews, appropriate remedial actions against the individuals and entities involved in the misconduct, and disgorgement of relevant profits through both companies’ coordinated resolutions with the SEC. Akamai and Nortek separately entered into non-prosecution agreements (NPAs) with the SEC for violations of the books and records and internal controls provisions of the FCPA (these were only the second and third FCPA NPAs from the SEC since it announced in 2010 that it was adopting NPAs and DPAs).²³ While these declinations did not necessarily result in a more favourable result than would have been achieved under prior settlements following full co-operation, the Pilot Program nevertheless provides companies a more formal and certain pathway towards disclosure and co-operation credit.

4.3.1.2    SEC co-operation credit

Although it can be difficult to precisely quantify the benefit of co-operation with the SEC, the Commission will consider general principles of sentencing, especially general deterrence. In both public statements and in practice, the Commission has made clear that companies can receive significant leniency for full co-operation. During a speech on 29 April 2016, SEC Enforcement Director Andrew Ceresney emphasised the importance of co-operation, noting that companies have dodged monetary penalties for helping the agency in its investigations.²⁴ Mr Ceresney cited the February 2016 SAP SE settlement involving allegations that the company’s internal controls failed to flag a former executive’s misconduct, which consisted of allegedly falsifying internal approval forms and disguising bribes as discounts to Panamanian officials. In connection with the settlement, SAP SE agreed to disgorge US$3.7 million in sales profits, but escaped a fine after it agreed to take remedial measures and co-operated extensively with a separate SEC investigation of the former executive.²⁵

While the Akamai and Nortek NPAs in June 2016 only represented the second and third FCPA NPAs since their inception in 2010, the SEC nevertheless affirmed its commitment to using NPAs as a tool to reward co-operation. Mr Ceresney stated: ‘When companies self-report and lay all their cards on the table, non-prosecution agreements are an effective way to get the money back and save the government substantial time and resources while crediting extensive cooperation.’²⁶ The SEC will, however, set a high bar before entering into an NPA in an FCPA enforcement action. Kara Brockmeyer, Chief of the SEC Enforcement Division’s FCPA Unit, stated that ‘Akamai and Nortek each promptly tightened their internal controls after discovering the bribes and took swift remedial measures to eliminate the problems. They handled it the right way and got expeditious resolutions as a result.’²⁷

Risks in voluntarily self-reporting

While self-disclosure can reap significant monetary benefits, a company must balance the potential risks against any potential benefit. Self-reporting can give rise to lengthy co-operation obligations and increased government scrutiny. As discussed above, the multi-jurisdictional nature of many ‘white-collar’ matters means that self-reporting may very likely lead to enquiries from global regulators, differing resolutions and ongoing obligations.

Furthermore, the DOJ is likely to impose a stringent bar when evaluating the sufficiency of compliance programmes to determine whether the requirements of the Pilot Program are met or to otherwise reduce liability. In November 2015, the DOJ hired an experienced former in-house compliance officer, Hui Chen, to serve as its Compliance Counsel, to assist prosecutors with the assessment of companies’ compliance programmes.²⁸

With Hui Chen’s involvement, companies should expect that if they are being investigated or making a voluntary disclosure, the questions regarding their compliance programme will be quite targeted and the expectations for the strength of that compliance programme will be higher. Chen recently stated, ‘Compliance programmes are dynamic; they’re evolving. . . . What we want to see is real attention, real dialogue, and also executives really walking the walk beyond talking the talk.’²⁹ Consequently, companies should ensure that they have a strong, risk-based compliance programme if they are considering making a self-report.

The DOJ’s rare public 2012 declination of Morgan Stanley also serves as a good guide to the strength of compliance programme that the DOJ will expect before considering a declination or substantial reduction in penalties.³⁰ In that case, the DOJ found that Morgan Stanley maintained a system of internal controls, regularly updated its policies, had broad prohibitions on the provision of potentially improper benefits, conducted regular monitoring activities and provided frequent training to employees.³¹ In determining that a declination was appropriate, the DOJ noted that a rogue employee ‘actively sought to evade Morgan Stanley’s internal controls in an effort to enrich himself and a Chinese government official’ and ‘used a web of deceit to thwart’ Morgan Stanley’s internal controls.³² The DOJ’s continued emphasis on strong compliance programmes and internal controls was evidence in the recent NPAs with Akamai and Nortek under the Pilot Program.³³ Both declinations included references to each company’s enhancements to their respective compliance programmes.

Taking the increasingly stringent co-operation standards into consideration, companies considering self-disclosure should carefully assess whether they can meet regulator expectations. If companies fall short, regulators may refuse co-operation credit and use the information obtained through the self-disclosure against the company.

Risks in choosing not to self-report

US regulators have vocally warned that the potential downside of not self-reporting any violation could be significant where the matter is otherwise brought to their attention. Specifically, during his April 2016 remarks, Mr Ceresney warned that companies will face enhanced penalties if the SEC learns that the firm knew of violations and decided not to report them, and that companies that fail to co-operate will be unable to obtain perks like deferred prosecution agreements. At the same event, Andrew Weissmann, Chief of the DOJ Criminal Division’s Fraud Section, forecasted an upcoming enforcement action against a company that failed to remediate after self-detecting violations, saying that, as a result, the company faced larger fines.³⁴ Past DOJ enforcement actions reflect this stance as well.

Consequently, companies should carefully consider the likelihood that the conduct will be discovered by other means. It is important to consider whether other industry players could affect the company’s position. Industry-wide trends may expose a company’s misconduct. If regulators undertake an industry-wide investigation into particular practices, which we have observed in recent years with pharmaceutical companies, medical device manufacturers and automobile companies, a company might be exposed by a competitor’s self-report or more passively through a third-party subpoena or any investigative demand.

Companies should also be sensitive to increasing whistleblower activity. Current or former employees are incentivised to report potential misconduct to US regulators, which has led to substantial recoveries for the government. The SEC’s whistleblower programme has only been in place for a few years, but has been steadily active so far with 18 whistleblower awards, totalling more than US$65 million in payouts. Whistleblowers are eligible to receive awards between 10 per cent to 30 per cent of the money recovered if their ‘high-quality original information’ leads to enforcement actions in which the SEC orders at least US$1 million.³⁵ The programme continues to be a priority for the Commission. At its annual ‘SEC Speaks’ conference in February 2015, Regional Director David Glockner stressed the Commission’s ability to provide awards to foreign nationals, noting the SEC made its largest whistleblower payment of US$30 million in September 2014 to a non-US resident.³⁶ It is therefore important that a company consider the real possibility that its conduct could be exposed by means other than voluntary self-disclosure, and the associated, often expensive, risks associated with not being the first to come forward.

When deciding not to self-report, a company must ensure that the decision is appropriately considered and documented. If a company decides not to self-report and the government later enquires about the issue, the best defence is that the company conducted a thorough investigation, remediated the issue, and had a reasonable basis for not self-reporting to the government. US regulators will look to a company’s board of directors to ensure the appropriate steps were taken.³⁷ The SEC has expressed that the board of directors must exercise oversight and set a strong ‘tone at the top’ emphasising the importance of compliance. In 2014, Mary Jo White, chair of the SEC, advised boards of directors that they should ‘make it clear from the outset that ^their expectation is that any internal investigation will search for misconduct wherever and however high up it occurred; that the company will act promptly and report in real-time to the Enforcement staff on any misconduct uncovered; and that the company will hold its responsible employees to account.’³⁸

Notes

1. Practising Law Institute Seminar, Enforcement 2016: Perspectives from Government Agencies, by DOJ Fraud Section Chief Andrew Weissmann (29 April 2016).
2. See, e.g., 31 U.S.C. 5318(g).
3. These requirements are far more limited, however, than those in the United Kingdom under the Proceeds of Crime Act, which imposes broad suspicious activity report filing requirements on all parties in the regulated gector, including financial institutions, lawyers and accountants, upon the knowledge or reasonable suspicion of money laundering. Part 7 of the Proceeds of Crime Act 2002 ss.327-329.
4. For more details see, ‘The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance’ available at https://www.justice.gov/opa/file/838386/download.
5. Memorandum from Eric Holder, Deputy Attorney Gen., Dep’t of Justice, on Bringing Criminal Charges Against Corps. to Dep’t Component Heads and U.S. Attorneys (16 June 1999) (Holder Memorandum), available at https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2010/04/11/charging-corps.PDF.
6. Id. at 3 (listing eight factors prosecutors should consider in deciding whether to bring charges against corporations that include ‘[t]he corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents . . . .’).
7. U.S. Attorneys’ Manual U§§ 9-28.000.
8. Id. §§ 9-28.700 – Value of Cooperation.
9. Memorandum from Deputy Attorney General Mark Filip to Heads of Department Components and United States Attorneys, Principles of Federal Prosecution of Business Organizations (28 August 2008), at 4.
10. Yates Memorandum, Department of Justice, 9 September 2015, available at http://www.justice.gov/dag/file/769036/download at 3.
11. The DOJ revised the section of the U.S. Attorneys’ Manual titled ‘Principles of Federal Prosecution of Business Organizations’ in November 2015 to reflect these steps.
12. U.S. Attorneys’ Manual § 9-28.700 (2015).
13. Yates Memorandum at 3.
14. U.S. Attorneys’ Manual § 9-28.700.
15. Id.
16. See Fraud Section’s FCPA Enforcement Plan and Guidance available at https://www.justice.gov/criminal-fraud/file/838416/download (FCPA Enforcement Plan and Guidance).
17. FCPA Enforcement Plan and Guidance.
18. Id. at 8.
19. Id. at 9.
20. See https://www.justice.gov/opa/blog/criminal-division-launches-new-fcpa-pilot-program.
21. The DOJ has demonstrated a prior willingness to reduce penalties for companies providing full co-operation. For instance, the DOJ declined to prosecute PetroTiger Ltd., a British Virgin Islands oil and gas company, after it voluntarily self-disclosed the existence of a bribery and kickback scheme orchestrated by top executives relating to a US$40 million oil services contract between PetroTiger and a state-owned Colombian petroleum company. PetroTiger took remedial measures and fully co-operated with the investigation, which led to the indictments of the company’s two former co-CEOs and former general counsel.
22. See https://globalinvestigationsreview.com/article/1035951/doj-issues-declinations-to-two-companies-under-fcpa-pilot-programme.
23. The Akamai NPA is available at https://www.sec.gov/news/press/2016/2016-109-npa-akamai.pdf, and the Nortek NPA is available at https://www.sec.gov/news/press/2016/2016-109-npa-nortek.pdf.
24. See http://www.law360.com/whitecollar/articles/790881?nl_pk=8f2efcbe-0aea-4712-b554-a7ef3a49f474&utm_source=newsletter&utm_medium=email&utm_campaign=whitecollar.
25. See https://www.sec.gov/news/pressrelease/2016-17.html. DOJ prosecuted this former executive regarding this scheme, and the executive pled guilty to one count of conspiracy to violate the FCPA and received a twenty-two-month sentence. The executive also settled with the SEC and paid disgorgement of US$85,965 plus prejudgment interest. See https://www.justice.gov/opa/pr/former-executive-sentenced-conspiracy-bribe-panamanian-officials.
26. See ‘SEC Announces Two Non-Prosecution Agreements in FCPA Cases’ available at https://www.sec.gov/news/pressrelease/2016-109.html.
27. Id.
28. https://www.justice.gov/criminal-fraud/file/790236/download.
29. Remarks at a round table discussion at New York University School of Law when Hui Chen made the first public appearance (13 November 2015).
30. https://www.justice.gov/opa/pr/former-morgan-stanley-managing-director-pleads-guilty-role-evading-internal-controls-required.
31. Id.
32. Id.
33. See https://www.justice.gov/criminal-fraud/file/865411/download; see also https://www.sec.gov/news/pressrelease/2016-109.html.
34. Remarks at the Practising Law Institute’s programme ‘Enforcement 2016: Perspectives from Government Agencies’ (29 April 2016); see also http://www.law360.com/articles/790881/incentives-for-self-reporting-are-real-enforcers-insist.
35. More information is available at the SEC’s ‘Office of the Whistleblower’ site at https://www.sec.gov/whistleblower.
36. https://www.sec.gov/News/PressRelease/Detail/PressRelease/1370543011290#.VOzurVUo5ow.
37. Notification of the board of directors is often required under US law. Section 307 of the Sarbanes-Oxley Act of 2002 requires that an attorney report evidence of a material violation of securities laws or breach of fiduciary duty by the company or any agent ‘up-the-ladder’ (i.e., first to the chief legal officer or CEO and, thereafter, if appropriate remedial measures are not taken, to the audit committee of the board or other board committee comprised solely of non-employee directors). Wherever possible, it is best to engage the board’s disclosure counsel to assist in making this determination.
38. https://www.sec.gov/News/Speech/Detail/Speech/1370542148863.