RegTrail Insights: DOJ Key Policy Updates Regarding Compliance Programmes

[1] DOJ Evaluation of Corporate Compliance Programs [ECCP]

The updated ECCP document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance programme was effective at the time of a criminal offence, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).

The major update to the ECCP relates to governance over personal devices and third-party messaging applications, a relevant and timely topic for both regulated and non-regulated firms given recent fines by the SEC and CFTC to major financial firms for use of personal devices to conduct regulated business.

Use of personal devices and third-party messaging applications

Assistant Attorney General Kenneth A. Polite, Jr. in his speech notes “under the revised ECCP, we will consider how policies governing messaging applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate, business-related electronic data and communications can be preserved and accessed.

Our prosecutors will also consider how companies communicate the policies to employees, and whether they enforce them on a consistent basis. We will ask about the electronic communication channels used by the business and their preservation and deletion settings. And we’ll ask about any “bring your own device,” or BYOD programme, and associated preservation policies.”

He goes on to state that the DOJ won’t stop there noting that “during the investigation, if a company has not produced communications from these third-party messaging applications, our prosecutors will not accept that at face value. They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws, among other things.”

Below is a summary of updates to the ECCP guidance in relation to use of personal devices or third-party messaging platforms. Given the proliferation of communication platforms in the energy and commodity space, we advise firms to review and benchmark the below observations with current policies and procedures irrespective of your firm’s regulatory jurisdiction(s).

ECCP Updates – Use of Personal Devices or Third party Messaging Applications

[A] Policies and Procedures to identity and report potential misconduct. Under the updated ECCP, additional guidance is provided to prosecutors on evaluating a corporation’s policies and procedures for identifying, reporting, investigating, and remediating potential misconduct over an employees’ use of personal devices and third-party messaging platforms.

[B] Policies tailored to the corporation’s risk profile. The ECCP notes that policies governing such applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company.

[C] Communication of Policies and Procedures to employees. The ECCP also notes that prosecutors should consider how the policies and procedures have been communicated to employees, and whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.

Considerations prosecutors will use when conducting an evaluation include:

Communication Channels

• What electronic communication channels do the company and its employees use, or allow to be used, to conduct business?
• How does that practice vary by jurisdiction and business function, and why?
• What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?
• What preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each?

Policy Environment

• What policies and procedures are in place to ensure that communications and other data is preserved from devices that are replaced?
• What are the relevant code of conduct, privacy, security, and employment laws or policies that govern the organization’s ability to ensure security or monitor/access business-related communications?
• If the company has a “bring your own device” (BYOD) programme, what are its policies governing preservation of and access to corporate data and communications stored on personal devices—including data contained within messaging platforms—and what is the rationale behind those policies?
• How have the company’s data retention and business conduct policies been applied and enforced with respect to personal devices and messaging applications?

 Risk Management

• What are the consequences for employees who refuse the company access to company communications? Has the company ever exercised these rights?
• Has the company disciplined employees who fail to comply with the policy or the requirement that they give the company access to these communications?
• Has the use of personal devices or messaging applications—including ephemeral messaging applications—impaired in any way the organization’s compliance programme or its ability to conduct internal investigations or respond to requests from prosecutors or civil enforcement or regulatory agencies?
• How does the organization manage security and exercise control over the communication channels used to conduct the organization’s affairs?

[2] Criminal Division’s Pilot Programme Regarding Compensation Incentives and Clawbacks

In his speech, Mr. Polite notes the Criminal Division has updated its policies concerning corporate compensation systems acknowledging that compensation structures that clearly and effectively impose financial penalties for misconduct can deter risky behaviour and foster a culture of compliance while at the same time, positive incentives, such as promotions, rewards, and bonuses for improving and developing a compliance programme or demonstrating ethical leadership, can drive compliance.

The two major changes as part of the updated policy are as follows:

[A] Prosecutors will consider more closely compensation structures and consequence management when evaluating compliance programmes.

• Compensation systems that use affirmative metrics and benchmarks can reward compliance-promoting behaviour.
• Compensation systems that clearly and effectively impose financial penalties for misconduct can also deter risky behaviour and foster a culture of compliance.
• Rewarding corporations that develop solutions to incentivize better compliance through their compensation systems, including the use of clawback policies.

[B] The Criminal Division is launching a 3 year pilot programme effective March 15, 2023 (1) to require, as part of a criminal resolution, that corporate compliance programmes include compensation-related criteria; and (2) to offer fine reductions for companies that seek to clawback compensation in appropriate cases.

Compliance Enhancements

• The Programme provides that, when entering into criminal resolutions, companies will be required to implement compliance-related criteria in their compensation and bonus system and to report to the Division about such implementation during the term of such resolutions.
• The Programme also directs Division prosecutors to consider possible fine reductions where companies seek to recoup compensation from culpable employees and others who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were wilfully blind to, the misconduct.
• Examples of compliance-related criteria may include, but are not limited to: (1) a prohibition on bonuses for employees who do not satisfy compliance performance requirements; (2) disciplinary measures for employees who violate applicable law and others who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were wilfully blind to, the misconduct; and (3) incentives for employees who demonstrate full commitment to compliance processes.

 Deferred Fine Reduction

• The Criminal Division will consider fine reductions where companies seek to recoup compensation from employees who engaged in misconduct.
• Under the pilot programme, prosecutors may accord a reduction of the fine in the amount of 100% of any compensation that a company is able to recoup during the period of the resolution. Companies may also receive a reduction for good faith attempts to recoup compensation.
• If a company’s good faith effort is unsuccessful by the time the resolution term ends, prosecutors will have discretion to accord a fine reduction of up to 25% of the amount of compensation that has been sought.

[3] Revised Memorandum on Selection of Monitors in Criminal Division Matters

The Memorandum clarifies how the Criminal Division will determine whether a corporate monitor is appropriate as part of a corporate criminal resolution.

Mr. Polite in his speech makes explicit that any submission of a monitor candidate by the company and selection of a monitor candidate by the Criminal Division should be made in keeping with the department’s commitment to diversity, equity, and inclusion.

The Memorandum updates clarify four topics:

(1) Consistent with Department-wide policy, prosecutors should not apply presumptions for or against monitors, and should consider ten non-exhaustive factors when assessing the need for, and potential benefits of, a monitor

(2) Consistent with the Criminal Division’s practice since at least 2018, many of the requirements for monitors apply to monitor teams, in addition to the titular monitors;

(3) Monitor selections are and will be made in keeping with the Department’s commitment to diversity, equity, and inclusion; and

(4) The cooling off period for monitors is now not less than three years, rather than two years, from the date of the termination of the monitorship.

It instructs prosecutors not to apply presumptions for or against monitors. Instead, in assessing the need for and potential benefits of a monitor, the DOJ may broadly consider whether an entity has made relevant changes to corporate culture or leadership and taken effective remedial actions, including implementation of an effective, adequately tested and resourced compliance programme.