To self-report, or not to self-report, that is the question: a cross-border comparison

In summary

This article summarises some of the key benefits and risks of self-reporting in the United States, the United Kingdom and France, drawing out the principal similarities and differences between these three key jurisdictions. Recent pronouncements by each country suggest increasing harmonisation in their approaches, perhaps to make the investigation of multinational corporations more consistent and cross-border enforcement more effective; however, there are a number of key differences of which companies should be aware.

Discussion points

• Self-reporting regimes in the United States, the United Kingdom and France

Referenced in this article

• US Department of Justice (DOJ)
• DOJ Justice Manual
• Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy
• Serious Fraud Office
• FCA Handbook
• DPA Code of Practice
• National Financial Prosecutor’s Office
• French Anti-Corruption Agency
• Sapin II Law

‘To be, or not to be, that is the question.’^[1] In the famous speech in Shakespeare’s ^[2]) or ending his suffering (with the fearful uncertainty of what may lie ahead). Likewise, a company that has uncovered potential wrongdoing will often have to choose between seeking to resolve the issue in private (with the risk that the matter will subsequently come to the attention of the authorities) or to self-report voluntarily (setting in motion an external investigation, the result of which is unknown and potentially very damaging).

The assessment of the risks and rewards of either option increasingly requires companies to take a multi-jurisdictional approach. Even where the relevant conduct may have been confined to a single jurisdiction, companies with cross-border operations must consider their legal exposure across a range of jurisdictions, as well as the appetite of the authorities in each relevant country to investigate, should they become aware of the matter.

This is all the more so as key jurisdictions have passed new laws with wide extraterritorial effect, enforcement authorities have shown themselves willing and able to cooperate closely with their international counterparts, and legal regimes have evolved to incentivise prompt self-reporting (and impliedly sanction companies that do not). The result is that companies can no longer take a siloed national approach but rather must consider strategy in the round.

This article summarises some of the key benefits and risks of self-reporting in the United States, the United Kingdom and France, drawing out the principal similarities and differences between these three key jurisdictions. Recent pronouncements by each country suggest increasing harmonisation in their approaches, perhaps to make the investigation of multinational corporations more consistent and cross-border enforcement more effective; however, there are a number of key differences of which companies should be aware.

United States

While there is no formal obligation under US law to self-report potential wrongdoing to enforcement authorities, the manual for federal prosecutors,^[3] promulgated by the US Department of Justice (DOJ), has long provided that ‘prosecutors may consider a corporation’s timely and voluntary disclosure, both as an independent factor and in evaluating the company’s overall cooperation’.^[4]The separate guidance specific to the DOJ’s Foreign Corrupt Practices Unit similarly highlights the benefits of self-disclosure but likewise notes that self-disclosure is ‘voluntary’.^[5]

Notwithstanding the ‘voluntary’ label, DOJ leadership has placed heavy emphasis on self-reporting, providing substantial benefits to companies that do so while both directly and impliedly threatening more drastic consequences for those that do not. The Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy (the Policy) spells out those benefits, which can include more favourable settlement terms and reduced financial penalties.^[6] Perhaps most importantly, the Policy provides that ‘when a company has voluntarily self-disclosed misconduct to [DOJ], fully cooperated, and timely and appropriately remediated . . . there will be a presumption that the company will receive a declination absent aggravating circumstances involving the seriousness of the offense or the nature of the offender’.^[7] By contrast, companies that choose not to self-report face the prospect of criminal indictment, which can itself be ruinous even before fines and penalties are imposed.

For companies facing the prospect of self-reporting, the benefits noted above must be carefully weighed against the daunting work US authorities require of companies seeking self-disclosure and cooperation credit.

First, with respect to timing, the DOJ requires companies even considering self-reporting to make that decision quickly, mandating that a company make a disclosure ‘immediately upon the company becoming aware of the allegation of misconduct’ and ‘prior to an imminent threat of disclosure or government investigation’.^[8] If what the DOJ considers to be aggravating circumstances are present, including involvement by executive management or a significant profit resulting from the misconduct, the company’s disclosure must be made even sooner or immediately after the company becomes aware of the allegation of misconduct to maintain eligibility for a declination (a decision not to prosecute).^[9]

While companies often face pressure to self-report conduct before knowing all the facts, the DOJ’s increasing focus on speed may exacerbate that tension in circumstances where a company needs to investigate matters thoroughly before reporting something of potential significance and consequence.

Second, the DOJ requires that companies seeking to self-report under the Policy must provide ‘all relevant, non-privileged facts known to it, including all relevant facts and evidence about all individuals involved in or responsible for the misconduct’.^[10] This self-report must be made with regard to ‘all individuals . . . inside and outside of the company regardless of their position, status, or seniority’.^[11]

Third, the Policy requires full cooperation following disclosure. This aspect of the Policy typically requires a prompt, robust internal investigation by the company’s counsel and includes an ongoing obligation to disclose ‘all non-privileged facts relevant to the wrongdoing at issue’,^[12] which includes facts gathered during an internal investigation, attribution of those facts to specific sources as opposed to a general narrative and timely updates regarding the internal investigation (including identification of the individuals involved in the wrongdoing and details regarding their conduct). The DOJ has made it clear that cooperation is expected to be ‘proactive rather than reactive’ and that the company should go so far as to be aware of and identify opportunities for ‘[the DOJ] to obtain relevant evidence not in the company’s possession and not otherwise known to [the DOJ]’.^[13]

According to the Policy, full cooperation also requires timely and voluntary preservation, collection and disclosure of relevant documents and information, including disclosure of overseas documents and information and the ‘facilitation of third-party production of documents’ and translations of relevant documents.^[14] Where the provision of overseas documents or information may be restricted because of data privacy rules or blocking statutes, the company bears the burden of establishing the existence of those restrictions and is required to identify ‘reasonable and legal alternatives’ to assist the DOJ in obtaining the information.^[15] Companies seeking full cooperation credit are also expected to make employees, consistent with their individual rights under US law, available for interviews with the DOJ.

Fourth, any company that self-discloses must be prepared to subject its compliance programme to heavy scrutiny. In conjunction with announcing recent changes to the Policy, DOJ leaders have emphasised that voluntary self-disclosure is an indicator of a working compliance programme and a healthy corporate culture, adding that companies who ‘own up will be appropriately rewarded in the [DOJ’s] approach to corporate crime’.^[16] Conversely, senior DOJ leaders have warned even more recently that for companies whose compliance programmes are not up to date or adequate, their failure to proactively improve and enhance their compliance function will ‘cost them down the line’.^[17]

Consistent with that guidance, and as part of engagement with the DOJ following self-disclosure, companies are expected to provide details regarding their compliance programme, both at the time of the misconduct and at the time of resolution. Moreover, the Policy expressly requires that companies seeking cooperation credit establish that they have engaged in ‘timely and appropriate remediation’,^[18] including improvements to the compliance function as needed.

Fifth, and most recently, DOJ leadership announced a pilot programme on compensation incentives and clawbacks (the Pilot Program), requiring companies to ‘develop compliance-promoting criteria within [their] compensation and bonus system[s]’, making clear that the compensation system will also be scrutinised as part of any DOJ resolution.^[19] Under the Pilot Program, the DOJ will require all corporate resolutions to include compliance enhancements directly related to the remuneration and bonus system, including prohibitions on bonuses for employees who do not satisfy ‘compliance performance requirements’ and disciplinary measures to be imposed on employees who violated the law, as well as those who had supervisory authority over the employees or business area that engaged in the misconduct or were ‘willfully blind’ to it.^[20] Even if a criminal resolution is warranted, if a company demonstrates that it has implemented a programme to recoup compensation from employees engaged in wrongdoing, any fines imposed will be reduced.^[21]

Taken collectively, these requirements impose substantial burdens on companies seeking to self-report and, therefore, require careful consideration when evaluating whether voluntary self-disclosure is appropriate and in the company’s best interests. While the DOJ’s heavy emphasis on voluntary self-disclosure makes clear its own position, it is not always clear for a company whether voluntary self-disclosure is in its own interest, particularly in the early stages of efforts to investigate potential misconduct.

Companies must be particularly attuned to the early stages of an internal review, where the decision to self-report is frequently made, and weigh the possibility that making the decision to disclose too early – especially before enough facts are known to make an informed decision – may result in unnecessary scrutiny from enforcement agencies and potential reputational harm to the company that may be avoidable and unwarranted.

United Kingdom

In certain respects, the position in the United Kingdom is similar to that in the United States; however, key areas of difference include (1) the wider set of specific circumstances in which there can be a formal obligation to self-report to relevant authorities and (2) the narrower set of potential benefits of choosing to do so. In particular, in contrast to the position in the United States, formal declinations are not available in the United Kingdom, with the key benefits of a voluntary self-report instead being the increased prospect (but no guarantee) of resolution through a deferred prosecution agreement (DPA) and a reduced financial penalty (in addition to ‘softer’ benefits, such as increased predictability and the ability to better manage any reputational fallout).

While, as in the United States, there is no general obligation to report crime to the authorities, firms regulated by the Financial Conduct Authority (FCA) are under a duty to deal with their regulators in an open and cooperative way and are under an obligation to disclose appropriately ‘anything relating to the firm of which the FCA would reasonably expect notice’.^[22] While the FCA accepts that the timing of the notice depends on the circumstances, it expects a firm to ‘act reasonably’ and discuss relevant matters with it ‘at an early stage, before making any internal or external commitments’. In certain cases, the obligation to notify is immediate.^[23]

Obligations to notify may also arise under applicable anti-money laundering and counter-terrorist financing rules. Persons working in the ‘regulated sector’ (a statutory definition that includes those working in the financial sector, lawyers in relation to certain transactions, auditors, tax advisers, casinos and cryptoasset exchanges) must, subject to certain limited exceptions, submit a suspicious activity report to the National Crime Agency. This duty arises in relation to information that comes to them in the course of their business if they know or suspect, or have reasonable grounds for knowing or suspecting, that a person is engaged in money laundering or terrorist financing, or even just attempting the latter.^[24]

Even if a person does not work in the regulated sector, if they know or suspect that property they are dealing with constitutes or represents a person’s benefit from criminal conduct, they are at risk of committing a money laundering offence unless they make an authorised disclosure and receive ‘consent’ to continue with the activity (referred to as a ‘defence against money laundering’).^[25]

Other notification requirements may arise under the rules of professional bodies^[26] and licensing authorities^[27] or under data privacy^[28] and sanctions legislation.^[29] Companies with securities listed on regulated markets must also consider whether they are obliged to make any market disclosures (eg, if the fact of the underlying conduct or the findings of the internal investigation may constitute inside information).^[30]

Outside these specific cases, the position in the United Kingdom mirrors that in the United States in that, while there is no general duty to disclose potential wrongdoing, there is a heavy emphasis on the benefits of voluntarily doing so.

First, while there is no obligation to notify the Serious Fraud Office (SFO) or His Majesty’s Revenue and Customs of suspected criminal conduct, self-reporting to these bodies is listed as an example of cooperation (which is a public interest factor against prosecution and in favour of resolution by way of a DPA or an asset recovery power);^[31] however, a self-report would be part of what is ultimately a balancing exercise to be undertaken between factors in favour and against prosecution, meaning that a self-report is not a guarantee that a prosecution will not follow.^[32]

In the applicable guidance, the UK prosecutors emphasise that, to be effective, the self-report should be part of a ‘genuinely proactive approach adopted by the corporate management team when the offending is brought to their notice’, involving reporting ‘within a reasonable time of the offending coming to light’ and remedial actions, including (where appropriate) the compensation of victims.^[33]

The reference to ‘reasonable time’ allows scope for a company to conduct at least a preliminary investigation into a potential issue prior to self-reporting. This was expressly acknowledged in a speech given by the director of the SFO in 2019, who stated that companies ‘have a duty to their shareholders to ensure allegations or suspicions are investigated, assessed and verified, so they understand what they may be reporting before they report it’.^[34] The DPA Code of Practice specifically identifies ‘reporting the wrongdoing but failing to verify it, or reporting it knowing or believing it to be inaccurate, misleading or incomplete’ as a public interest factor in favour of prosecution (and against the granting of a DPA).^[35]

When considering a self-report, the prosecutor must consider the totality of the information the company has provided, the extent to which the offending was previously known to the prosecutor and the extent to which the company is providing it voluntarily (ie, without the threat of imminent disclosure by a third party or compulsion).^[36] When considering whether a self-reporting company has been genuinely proactive, prosecutors will also need to establish whether sufficient information has been provided, including making witnesses available and disclosing the details of any internal investigation (although, while an organisation can gain credit for disclosing a privileged internal investigation report, it should, in theory, not lose credit for having chosen not to do so).^[37] It is also important not to withhold material in a manner that would jeopardise an effective investigation or, where appropriate, prosecution of relevant individuals.^[38]

Second, self-reporting and subsequent cooperation can lead to a reduced financial penalty. Under the sentencing guidelines for corporate offenders for fraud, bribery and money laundering offences, the fact that a company ‘co-operated with [the] investigation, made early admissions and/or voluntarily reported offending’ is treated as a mitigating feature, which could result in a lower multiplier on the harm figure for the calculation of a fine.^[39] Cooperation (including self-reporting) can also result in an increased discount on the fine, with a discount of 16.66 per cent (additional to the general 33.33 per cent discount for the equivalent of a guilty plea) being granted in a number of DPAs in recognition of ‘extraordinary’ cooperation. Likewise, the Office for Financial Sanctions Implementation has set out that a prompt and complete voluntary disclosure can result in up to a 50 per cent reduction on the baseline penalty.^[40]

Third, as in the United States, self-reporting is increasingly seen as a requirement for an effective compliance framework and a signal of an appropriate corporate culture. In the DPA agreed by the SFO and Amec Foster Wheeler Energy Limited, the judge held that the ‘proper course’ for the relevant company would have been to self-report to the SFO ‘not as a matter of legal duty, but as a matter of ethical corporate governance’. While the judge acknowledged that there was no legal requirement to report suspected crime to the authorities, he stated ‘there is a moral duty on all citizens in this respect which extends at least equally to corporations. This failure by the board [to do so] was deplorable.’^[41] As a result, directors may increasingly need to consider whether a voluntary disclosure may, in effect, be required as a matter of proper corporate governance or to comply with their duties to promote the success, and act in the best interests, of the company.^[42]

Balanced against this, a number of cases have demonstrated that a DPA and the full 50 per cent discount to the financial penalty may still be secured in the absence of a self-report, as expressly noted by the judge in the Airbus DPA: ‘if subsequent self-reporting or co-operation overall, is of a high quality and brings significant wrongdoing to light that would not otherwise have come to the attention of the authorities, this will be a significant factor in favour of a DPA’.^[43] Nevertheless, the level of cooperation required in those cases has had to be ‘exemplary’, which, in practice, may mean that companies need to make strategic concessions they might not otherwise have made. Further, it may be assumed that a tactical decision not to self-report and later to compensate (if required) via exemplary cooperation would be looked on poorly by the authorities and be high risk.

Ultimately, the choice of whether to make a voluntary self-report in the United Kingdom may come down to a company’s risk appetite. Choosing not to self-report and to remediate in private can have a number of advantages, not least in terms of resource and reputation management; however, it runs the risk that the conduct may otherwise come to the attention of the authorities, in which case the consequences could be worse for the company.

Choosing to self-report, on the other hand, can significantly increase the likelihood of obtaining a DPA and a discount to the financial penalty; however, unlike in the United States, formal declinations are not available, and a self-report, therefore, would expose a company to a risk of potentially substantial fines (and other expenses) it otherwise might not have faced. Other potential consequences include the risk of civil litigation and adverse reactions from shareholders, bankers, insurers, investors and other stakeholders.

While, for some companies, the potential benefits of voluntary disclosure may fall short of what is required to encourage a self-report, for those in regulated industries (where a prosecution or even a charge could lead to a loss of required licences, consents or access to public sector procurements), the choice can be business-critical.

France

In recent years, continental Europe and France have strengthened their fight against corruption, by effectively requiring companies to play a proactive role in detecting and preventing corruption through stronger enforcement, liability of senior management and recent updates regarding self-reporting and cooperation with authorities.

In France, cooperation with authorities, including self-reporting, has not developed at the same speed as in the United States and the United Kingdom. It is mostly with stronger explicit legal requirements regarding compliance systems that France has addressed the need to strengthen the fight against corruption and put ethics and integrity at the forefront to help companies achieve higher ethical standards. Although, there is no explicit legal obligation to self-disclose potential misconduct, recent developments clarify the possibility and advantages to do so.

In France, Law No. 2016-1691^[44] (the Sapin II Law) introduced judicial public interest agreements (CJIPs). This innovative approach for France, commonly referred to as the ‘French DPA’, incentivises cooperation with the French authorities, which may also include the self-reporting of potential misconduct, as further clarified by the French financial prosecutor’s office (the National Financial Prosecutor’s Office (PNF)).^[45]The CJIP is an agreement that may be proposed by the PNF to a legal person, under investigation by the PNF, and that allows legal persons to avoid prosecution for certain offences by paying a public interest fine, putting in place a compliance programme under the monitorship of the French Anti-Corruption Agency (AFA) or repairing the harm caused to potential victims.^[46]

The Sapin II Law has also introduced for companies incorporated in France, and foreign companies not headquartered in France, that exceed certain thresholds^[47] strict compliance measures, which are enumerated in article 17 as eight anti-corruption compliance requirements, namely a code of conduct, a whistle-blowing system, corruption risk mapping, third-party due diligence, accounting controls, awareness and training, a disciplinary system and internal controls.

In this context, and regarding the requirement to implement a whistle-blowing system, both the European Union^[48] and France^[49] have demonstrated a strong commitment to reinforcing whistle-blower protections through enhanced requirements and sanctioning, which, in France, may extend to imprisonment. These requirements and sanctions may concern both the company and individuals, including senior management, and could play an important role in considering self-reporting.

Through the Sapin II Law, which also imposed the creation of an anti-corruption regulator, the AFA, France aimed to promote its anti-corruption regime and compliance obligations as one of the strictest in the world. The AFA is the designated regulator overseeing, among other things, the eight anti-corruption compliance obligations.^[50] The AFA has extensive powers of supervision to investigate companies^[51] as well as responsibilities to educate and issue guidelines.

The creation of the AFA in 2017 and of the PNF in 2014 demonstrates France’s commitment to stronger enforcement, locally and abroad.^[52] Moreover, a general obligation of reporting misconduct exists for public authorities and officials under, which may influence the decision of companies to self-report.^[53]

On 16 January 2023, the PNF released its updated guidelines on the CJIP (the Guidelines),^[54] providing companies and foreign authorities with more clarity, predictability and transparency in the implementation process of a CJIP, with the aim of reinforcing cooperation with French authorities and highlighting the importance of robust compliance programmes.

To benefit from a CJIP, the company must, among other things, cooperate in good faith, which may be assessed by the following:

• spontaneous disclosure within a reasonable time;
• demonstrating active cooperation by conducting an internal investigation;
• sharing with the PNF the internal investigation’s report within a reasonable time;
• spontaneous implementation of a compliance programme; and
• early adoption of corrective measures.^[55]

The PNF specifies that it assesses the element of reasonable time for self-disclosure in light of the time elapsed between the company’s knowledge of the facts and its disclosure to the PNF. A company’s good faith is additionally demonstrated if the self-disclosure concerns facts of which the PNF was not yet aware.^[56]

According to the Guidelines the absence of either a compliance programme, as required under article 17 of Sapin II Law, or of remediation measures, in the case of identified breaches by the AFA, could be considered as unfavourable circumstances for a CJIP. In the assessment of a potential fine, the PNF will assess the level of cooperation of the company in accordance with a set of criteria that may increase or decrease the amount of the fine.^[57] Self-disclosure results in the largest reduction (a maximum reduction of 50 per cent) of the fine.

On 14 March 2023, the AFA and the PNF jointly published a practical guide regarding anti-corruption internal investigations.^[58] Regarding self-disclosure, the guide specifies that a company’s early and truthful reporting to the PNF of misconduct and the sharing of the investigation’s information will likely reduce the fine in the context of a CJIP, whereas any delay in transmitting the information resulting from the internal investigation or partial communication of the information gathered by the company may be considered as an aggravating factor in the calculation of the fine.

The AFA has previously referred to self-disclosure considerations for companies in the context of anti-corruption due diligence in mergers and acquisitions.^[59] In its 2021 practical guide,^[60] the AFA indicates the following:

If the seller is aware of acts of corruption committed by the target before the transaction, it would also be in its interest to conduct an internal investigation to find out whether it could be implicated as an accomplice or for concealment or laundering of the proceeds of this offence. Where appropriate, the seller could consider reporting itself to the public prosecutor in advance of any report of these acts by the purchaser.

Self-disclosure may also be influenced by recent developments in whistle-blower protections, strengthened by a recent EU directive^[61] establishing minimum standards to be transposed nationally, including access to reporting channels both internally (within a company) and externally (directly to authorities).^[62] The Waserman Law^[63] transposed that directive in France by modifying the Sapin II Law, including requiring companies to provide clear and easily accessible information for whistle-blowers to report externally.^[64]

Overall, in France, the protection of whistle-blowers against retaliation and obstruction and strict confidentiality remain among some of the most important in Europe and abroad and are further safeguarded through strict sanctions, which may include fines and up to two years’ imprisonment.^[65] The potential consequences of using an external channel, such as reporting directly to authorities, are often a catalyst for launching internal investigations that may potentially lead companies to consider voluntary self-disclosure.

Conclusion

When weighing up his difficult choice, Hamlet compares the agony of life against the uncertainty of what follows in the afterlife, describing the latter as an ‘undiscovered country’ from which no traveller returns.

As outlined in this article, a key aspect of the regulatory regimes in the United States, the United Kingdom and France has been to reduce the uncertainty of what may follow a self-report and, in doing so, shift the balance in favour of voluntary disclosure. The question remains, however, whether the benefits of voluntary disclosure are sufficiently compelling to offset the hard truth that it may bring issues to the attention of the authorities that they might not otherwise become aware of (and thereby expose a company to legal risks that might otherwise never eventuate).

The United States goes furthest, offering the significant prize (absent aggravating circumstances) of a presumed declination for companies that self-report within a ‘reasonably prompt’ time and are then able to pass the daunting threshold of establishing cooperation credit. By comparison, the United Kingdom and France provide for an increased likelihood – but no guarantee – of securing a DPA or CJIP, respectively, following a self-report that is made within a ‘reasonable’ time (although it can be business critical for companies that operate in regulated industries), which may still involve significant financial and other sanctions that a company remediating in private is unlikely to face.

If companies, as is increasingly common, need to assess the benefits of self-reporting across a number of jurisdictions, a ‘lowest common denominator’ approach may apply, with the decision to self-report being driven by the jurisdiction with the greatest benefits for voluntary disclosure (or sanctions for failure to do so). These decisions made at the outset of finding a compliance issue can be critical strategically and are often fraught with complexity and nuance.

Companies will likely have to navigate competing obligations and manage fact patterns that are rapidly developing and unpredictable. For example, the existence of information gateways between enforcement authorities across different countries may impact the timing or content of a self-report and whether simultaneous or staggered reports should be made in relevant jurisdictions. Leaks by competitors or whistle-blowers may expedite a decision to engage with authorities, and obligations to make market disclosures may create additional complications and risks when triggered.

In any case, the clear lesson is that companies can and should proactively continue to develop a strong culture of compliance, including fulsome policies and a means to comprehensively implement those policies, to be a front line of defence against corporate crime. Further, when a situation arises in which a discussion regarding self-disclosure is necessary, companies should give careful thought to engaging the right people in that discussion – from compliance to legal and to the board, across all potentially relevant jurisdictions – and to do so quickly. As reflected in the DOJ’s ongoing dialogue surrounding corporate crime, time is of the essence, and strategies regarding how to deal with potential wrongdoing should be firmly in place before implementation becomes necessary.

* The authors would like to thank associates James Dobias, Jennifer Levengood, William Merry, Stavroula Nikolaidou and Rebecca Richardson for their assistance in preparing this article.

Notes