What the DOJ’s New Criminal Enforcement Rules Mean to Directors, Officers, and the Companies They Serve

In September 2022, the US Department of Justice released a memorandum that updates and revises its corporate criminal enforcement policies in conjunction with a speech delivered by Deputy Attorney General Lisa Monaco on corporate crime.

These revisions build on previous policies and practices established by the DOJ and its Corporate Crime Advisory Group in 2021. Deputy AG Monaco reiterated that prosecuting individuals who commit a crime remains the DOJ’s top priority.

In its latest memorandum, the DOJ details guidance on individual accountability, voluntary self-disclosure, corporate compliance—including through compensation programs—and more. The memo also updates the DOJ’s policy on the use of compliance monitors, one of the items that falls outside the scope of this blog.

Individual Accountability

The updated guidance on corporate criminal enforcement dangles incentives in front of companies to ensure that individuals are held accountable for their crimes.

For example, to be eligible for any cooperation credit when under investigation, the corporation must disclose any facts about individuals “swiftly and without delay.” In addition, the DOJ prioritizes the prosecution of individuals over the resolution of corporate investigations.

According to the DOJ’s memo:

To be eligible for any cooperation credit, corporations must disclose to the Department all relevant, non-privileged facts about individual misconduct. The mere disclosure of records, however, is not enough. If disclosures come too long after the misconduct in question, they reduce the likelihood that the government may be able to adequately investigate the matter in time to seek appropriate criminal charges against individuals. … Companies seeking cooperation credit ultimately bear the burden of ensuring that documents are produced in a timely manner to prosecutors.

To push forward the DOJ’s interest in prosecuting culpable individuals, the memo notes that in most cases prosecutors will complete investigations into individual defendants and charge them if appropriate to do so—before allowing companies to resolve their issues with the DOJ.

Voluntary Self-Disclosure

Voluntary self-disclosure is front and center for corporations in the DOJ’s updated policies. The DOJ is attempting to offer more incentives for reporting misconduct before word gets out:

[C]orporations may come to the Department and disclose this [still non-public] misconduct, enabling the government to investigate and hold wrongdoers accountable more quickly than would otherwise be the case. Department policies and procedures must ensure that a corporation benefits from its decision to come forward to the Department and voluntarily self-disclose misconduct, through resolution under more favorable terms than if the government had learned of the misconduct through other means.

As summarized in a memorandum by the law firm Wilson Sonsini: “Absent aggravating factors, the DOJ will not seek a guilty plea for a company that voluntarily self-discloses, fully cooperates, and timely remedies the wrongdoing” [emphasis added].

The memorandum specifically addresses the tricky issue of corporations that may be constrained from providing the DOJ with certain information due to the need to comply with foreign law.

It's clear the DOJ will have no tolerance for companies that attempt to “capitalize on data privacy laws and similar statutes to shield misconduct.” Companies that find ways to “navigate such issues of foreign law and produce such records,” on the other hand, are to be given cooperation credit.

Corporate Compliance: Compensation and Secrecy

Under its guidance on corporate accountability, the DOJ states that prosecutors should take into account the company’s compliance practices.

The DOJ takes the view that companies are in the best position to deter criminal behavior: “Corporations can best deter misconduct if they make clear that all individuals who engage in or contribute to criminal misconduct will be held personally accountable.”

In its memo, the DOJ emphasizes the role that clawback policies in a company’s compensation arrangements and programs can play when it comes to deterring misbehavior, be it for individual employees or executives and others in a position to supervise employee behavior. The DOJ memo even floats the idea of putting compensation into an escrow to make the threat of a clawback more credible:

Since misconduct is often discovered after it has occurred, prosecutors should examine whether compensation systems are crafted in a way that allows for retroactive discipline, including through the use of clawback measures, partial escrowing of compensation, or equivalent arrangements.

When it comes to compensation practices that deter bad behavior, the memorandum implies that written policies may not be enough. Instead, the DOJ will look for evidence that companies actually followed their written policies when misconduct takes place.

In addition to using compensation programs to punish bad behavior, the DOJ also encourages using compensation programs to promote a culture of compliance. To do this, the DOJ suggests that compliance metrics be used to reward good behavior.

Finally, the memorandum makes it clear that the DOJ ultimately wants to ensure that the public becomes aware of corporate misconduct by individuals, including the consequences of these actions. As such, the DOJ will take a dim view of the use of non-disclosure and non-disparagement provisions that attempt to keep this information from the public.

Personal Devices and Third-Party Applications

As part of evaluating a company’s compliance program, the DOJ makes clear that companies need to access and store data from all devices that employees use for business purposes:

As part of evaluating a corporation's policies and mechanisms for identifying, reporting, investigating, and remediating potential violations of law, prosecutors should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.

While not exactly the same issue, this guidance on personal devices certainly rhymes with the scrutiny other government agencies have brought to the use of personal devices and messaging platforms for corporate business.

See, for example, the $1.8 billion in fines levied by the SEC and CFTC against Wall Street firms related to failing to preserve certain corporate electronic communications on personal devices and messaging platforms.

Takeaways

Some boards will find it appropriate to ask their general counsel to do a briefing on how the DOJ’s memorandum may or may not impact their companies. As part of the discussion, boards will want to understand whether the company needs to update its compliance posture when it comes to criminal investigations in light of the new memorandum.

Other good questions include whether the DOJ’s memorandum is reason to update clawback and other compensation policies. Finally, boards will want to confirm that their companies have a way to retrieve and preserve messages and other communications conducted on personal devices and messaging platforms. On this last point, some training of employees may be in order.

Directors and officers may also want to look at their personal indemnification agreements to ensure that they will advance legal fees even in the face of overwhelming pressure from the DOJ for companies to identify culpable individuals. In a world in which the current administration is taking an aggressive position on prosecuting individuals, these agreements may be more important than ever.

Remember that most D&O policies will have a substantial self-insured retention (like a deductible) that must be paid before the D&O policy responds, so it is the personal indemnification agreement that provides for things like the advancement of legal fees for individuals to defend themselves in the early days of an investigation.

Finally, review your D&O insurance. As a reminder, D&O insurance cannot be used to pay criminal fines and penalties. However, we do want D&O insurance to be available to defend individuals including—where available—for informal inquiries by a regulating body.

The DOJ is not perfect when it comes to only prosecuting wrongdoers, so directors and officers are right to take seriously both the oversight of compliance as well as lining up sources of defense costs should they find themselves involved in an investigation.