Carrots & Sticks: Understanding the DOJ’s New Compliance Rules

The Department of Justice is pushing companies to police themselves, voluntarily report misconduct and improve compliance programs. The silver lining? Companies that implement strong compliance programs and proactively report bad behavior may see reduced fines – and other dispensations.

Speaking at the Annual Compliance & Ethics Institute in Washington, D.C., on October 4, U.S. Deputy Attorney General Lisa Monaco reiterated the Department of Justice’s (“DOJ’s”) recently overhauled strategy for attempting to curb white-collar crime in the workplace:

“Gone are the days when executives could view corporate enforcement matters as the cost of doing business,” Monaco said. “In this new era, corporate executives need to redouble time and attention to compliance programs, compensation programs and diligence on acquisitions.”[1]

Monaco’s speech, which introduced new M&A-focused self-disclosure rules, follows her much-covered remarks at an American Bar Association (“ABA”) conference six months earlier, when she formally rolled out the DOJ’s revamped approach.[2] These long-awaited policy changes represent a fundamental shift in enforcement and are part of an attempt to push companies to aggressively police themselves, voluntarily report misconduct to the federal government and improve compliance programs on their own — or risk, in some situations, civil or criminal penalties.[3][4][5][6]

The new enforcement guidance provides a comprehensive roadmap for companies and their legal teams on corporate compliance programs. It also provides incentives and deterrents that will affect the structuring of executive pay and the maintenance of “business-related electronic data and communications” on messaging apps and other forms of encrypted electronic communications.[7]

Given the extent of the changes, as well as the personal liabilities involved in the new DOJ policies, general counsel, risk managers and other compliance-focused officers may be reasonably concerned about adherence. Understanding the DOJ’s new approach, including the various carrots and sticks involved, can both limit risk and ensure that legal and compliance budgets are met.

No ‘Rigid Formula’

The DOJ’s new guidance is composed of three primary considerations: 1) major revisions to its existing corporate compliance program (“CCP”), which includes updated enforcement policies on how “prosecutors should consider a corporation’s policies and procedures governing the use of personal devices, communications platforms and messaging applications, including ephemeral messaging applications”; 2) a three-year pilot program on executive pay that encourages companies to create “compensation systems that clearly and effectively impose financial penalties for misconduct [to] deter risky behavior and foster a culture of compliance”; and 3) Monaco’s October 4 remarks on the DOJ’s “New Safe Harbor Policy for Voluntary Self-Disclosures Made in Connection with Mergers and Acquisitions.”[8][9][10]

The CCP revisions attempt to create a unified framework for prosecutors to assess corporate compliance programs when they are considering filing charges or seeking damages in white-collar criminal cases.[11] While acknowledging it doesn’t instruct prosecutors to use a “rigid formula” when assessing such programs, the updated DOJ guidance does recommend that prosecutors ask the following “three fundamental questions” when they’re considering the merits of a particular case:[12]

• Is the corporation’s compliance program well designed?[13]
• Is the program being applied earnestly and in good faith?[14]
• Does the corporation’s compliance program work in practice?[15]

Most importantly, the CCP includes a major rewrite of the compliance rules involving messaging apps and other encrypted forms of communications in the workplace, an issue that’s been at the center of several recent high-profile federal investigations.[16][17]

The new safe harbor policy applies to companies that voluntarily report suspected “national security-related corporate crime” that is uncovered when they are merging with or acquiring other corporate entities.[18] In her October 4 remarks, Monaco told the audience, “Today, corporate crime intersects with our national security — in everything from terrorist financing, sanctions evasion and the circumvention of export controls to cyber- and crypto-crime.”[19]

In March of this year, the DOJ also announced a temporary program that mandates that all criminal enforcement cases taken up by the agency for three years after March 15, 2023, include “a requirement that the resolving company implement criteria related to compliance in its compensation and bonus system” for executive pay. The specific details of this criteria, which can include both executive pay-related clawbacks and incentives, must be filed with the DOJ once a year while the pilot program is in place.[20]

Stress Testing

The DOJ’s new policies leave many unanswered questions. But one thing is for certain: They were intentionally written to have enough regulatory bite to compel companies to act. In her March ABA remarks, Monaco detailed a recent compliance enforcement action against a Danish bank that resulted in $2 billion in fines. As part of its plea deal with regulators, the bank also agreed to revise its performance review and bonus system to include criteria related to compliance.

Given these robust changes, company leaders may be uncertain where to begin. One good place to start? Making sure a sound policy is in place and stress testing it against the updated CCP rules, which provide comprehensive and detailed instructions for how to test a company’s compliance management system.

For example, when managing risk for messaging apps and other forms of encrypted communications, the updated policy lists the following questions that prosecutors will ask when considering whether a company has done all it could to prevent bad behavior:

• What are the consequences for employees who refuse the company access to company communications?
• Has the company ever exercised these rights?
• Has the company disciplined employees who fail to comply with the policy or the requirement that they give the company access to these communications?
• Has the use of personal devices or messaging applications — including ephemeral messaging applications — impaired in any way the organization’s compliance program or its ability to conduct internal investigations or respond to requests from prosecutors or civil enforcement or regulatory agencies?
• How does the organization manage security and exercise control over the communication channels used to conduct the organization’s affairs?

While the DOJ is clearly attempting to send a strong message to the business community, the new DOJ guidance provides a clear pathway for general counsel, risk managers and other compliance-focused officers to limit risk and ensure compliance throughout the process. By enlisting the right expertise, companies can successfully review their current policies to determine if they operate effectively in practice — or whether a fresh approach is needed.