June 20, 2016

Compliance Programs, Individual Liability, and the Yates Memo: Has Anything Changed?

On September 9, 2015, Deputy Attorney General (DAG) Sally Quillian Yates issued a memorandum titled “Individual Accountability for Corporate Wrongdoing.”

The memorandum, which is now known as the “Yates Memo,” identified six directives to federal prosecutors relating to an enhanced focus on individual prosecutions:

  • To be eligible for any cooperation credit, corporations must provide to the Department all relevant facts about the individuals involved in corporate misconduct. During a speech at the New York University (NYU) immediately prior to issuance of the memorandum, Yates emphasized that “if a company wants any credit for cooperation, any credit at all, it must identify all individuals involved in the wrongdoing, regardless of their position, status or seniority in the company and provide all relevant facts about their misconduct. It’s all or nothing. No more picking and choosing what gets disclosed. No more partial credit for cooperation that doesn’t include information about individuals.”
  • Both criminal and civil corporate investigations should focus on individuals from the inception of the investigation.
  • Criminal and civil attorneys handling corporate investigations should be in routine communication with one another.
  • Absent extraordinary circumstances, no corporate resolution will provide protection from criminal or civil liability for any individuals. While the resolution of enforcement actions with corporations has previously had a trickle-down effect for individuals, DOJ attorneys have been now been instructed “that they should not release individuals from civil or criminal liability when resolving a matter with a corporation, except under the rarest of circumstances.”
  • Corporate cases can no longer be resolved without a clear plan to resolve related individual cases before the statute of limitations expires, and declinations as to individuals in such cases must be memorialized. Notably, a prosecutor who decides not to bring charges will need to have a declination memo approved by their U.S. attorney.
  • Civil attorneys must consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay. During her NYU speech, DAG Yates explained that “[t]here is real value, however, in bringing civil cases against individuals who engage in corporate misconduct, even if that value cannot always be measured in dollars and cents. . . . [B]y holding individuals accountable, we can change corporate culture to appropriately recognize the full costs of wrongdoing, rather than treating liability as a cost of doing business – a change that will protect public resources over the long term.”

The benefits of cooperation to the business entity are almost always significant. At this year’s ABA White Collar Crime Conference, DAG Yates drove this point home by emphasizing that a corporation will always receive a tangible benefit for cooperation, including additional credit for self-reporting. With respect her memo, DAG Yates noted that a company need not “boil the ocean,” and as long as a company acts in good faith, they can receive full credit for cooperating even if they can’t designate a particular culpable individual. According to DAG Yates, while the DOJ wants to know “who did what” (from the lowest level employee up to the CEO), it does not expect the company (or its counsel) to do their job for them in building a prosecutable case against culpable individuals. On the other hand, DAG Yates made it clear that the DOJ will “pressure test” the results of the internal investigation to verify the accuracy and completeness of the information provided.

While a corporation or other business entity may be considered a “person” for certain purposes, this is, as every law student knows, a legal fiction. A corporation cannot do anything – it acts through people. As Edward, First Baron Thurlow noted more than 200 years ago, “Did you ever expect a corporation to have a conscience when it has no soul to be damned and no body to be kicked?” Because of this common law understanding, in the United States for many years corporations could not be liable for criminal conduct. It wasn’t until 1909, in New York Central & Hudson River Railroad v. United States, that the Supreme Court decided to get rid of the “old and exploded doctrine” that a corporation was not indictable.

Since that time, prosecutors have increasingly focused on corporate prosecutions, perhaps because of the financial resources available to pay large fines. This approach was also consistent with the common law doctrine of respondeat superior, which holds that the master (in this case, a business entity) is liable for the acts of a servant undertaken within the scope of employment. There is also the doctrine of “collective knowledge,” which imputes the knowledge of individual employees to the corporation, or liability might be imposed on the corporation under a “willful blindness” or “should have known” standard.

At the same time, the “responsible corporate officer” doctrine developed, which imposes liability on a corporate officer for illegal conduct. The Supreme Court said that there is “not only a positive duty to seek out and remedy violations when they occur, but also, and primarily, a duty to implement measures that will insure that violations will not occur.” Consistent with this pronouncement, former attorney general Eric Holder stressed the need to bring criminal actions against people who were in a position to stop violations from occurring.

So, the DOJ’s focus on targeting individuals should not be seen as anything new. DAG Yates herself acknowledged that “some [of these policies] are being already being practiced at various places within DOJ [].” For example, in the FCPA context, so far this year, at least four FCPA enforcement actions have been against individuals. Three of those actions were brought against vice presidents whose corporations entered into deferred or non-prosecution agreements (and paid hefty fines); in the other, there was no separate action against the corporate entity, which was owned and operated by the individual defendant. In the case of New Jersey–based construction management firm Louis Berger International Inc. (LBI), the DOJ entered into a deferred prosecution agreement with the corporation after LBI admitted to FCPA violations, agreed to a $17.1 million criminal penalty, and cooperated in providing evidence that ultimately led to guilty pleas by two of its vice presidents.

It is possible that the Yates Memo’s requirement that to receive any credit at all, companies must throw their employees (or even their executives or board members) under the bus, may cause companies accused of wrongdoing to rethink their defense strategies. While it had been a well-established principle that self-reporting and cooperation with a DOJ investigation was an excellent tool to obtain some degree of leniency, there was not the same emphasis on identifying the responsible individuals. Is it now possible that is potentially landscape changing for companies and their compliance officers? Are compliance officers likely to receive more support (financial and otherwise) from the C-Suite in recognition of the critical role they serve in the company? Are they less likely to be perceived as “cops,” but rather as “protectors” and “trusted advisors”?

However, when it comes to self-reporting violations to the DOJ or SEC, it is equally likely that companies will think twice now where they otherwise may have self-reported. The requirement that all culpable employees (including executives and directors) must be identified will certainly give some pause, if it doesn’t deter self-reporting altogether. Initially, many may hold back to see how the DOJ and SEC implement the directives of the Yates Memo, particularly where there is potential disagreement between the self-reporting company and prosecutors as to whom in the company has culpability and how high up that culpability goes. Presumably, under the Yates Memo, where prosecutors disagree with the company’s conclusions on culpability, the company would receive no credit for cooperation. So, why roll the dice then by self-reporting? For example, under the FCPA, where knowledge may be proved through “deliberate ignorance” or “willful blindness,” regulators may take the position that higher-ups are culpable for a third parties payment of a bribe where the company failed to implement an effective compliance program; whereas, the company may reasonably interpret those same facts as suggesting no such culpability.

But if this situation of companies using self-reporting to hide individuals responsible for violations really existed, it probably never should have been so. A company implementing an “effective” compliance program under the Federal Sentencing Guidelines does so to demonstrate that it used due diligence to “prevent and detect wrongdoing.” If a company voluntarily discloses wrongdoing, it arguably should be expected to identify who were the wrongdoers. Thinking about the Morgan Stanley case where it revealed that an employee sought to evade internal accounting controls, it would have been nonsensical for Morgan Stanley to go to the government and say, “Someone in our organization violated the law and we know who did it, but we aren’t telling you, and you shouldn’t prosecute us.” An offer to cooperate with the government must be sincere, and not halfway. Morgan Stanley demonstrated the thoroughness of its compliance program. It was not prosecuted because it could demonstrate that it took all reasonable steps to prevent the violation by an employee. The person who violated the law should be prosecuted.

So, attorneys and compliance officers should make certain that management understands that a key purpose of compliance programs is to detect wrongdoing, and, when detected, it may well best serve the company to cooperate with the government, even if the company may not protect individual employees who violated the law. The purpose of a corporation is to earn profits for the shareholders – not to cover up the wrongdoing of employees, no matter what their rank. Of course, there may be situations where the proper legal defense strategy is to force a prosecutor to prove his or her case, without cooperation. Defendants have a right not to incriminate themselves.

If liability is fairly clear, the consequences of failing to self-report and cooperate may well wipe out all of the proactive efforts of having a robust compliance program in the first place. On the other hand, by cooperating fully (including identifying all culpable individuals), a company can send a useful message to its workforce of what happens when one does not follow the compliance program: the corporation will not bail you out. So, has the Yates Memo resulted in fewer companies self-reporting and cooperating? According to AG Yates, that’s a definite possibility (since they wouldn’t necessarily learn of those situations), but so far they’ve seen no evidence of this occurring.