Corporate Compliance Survey

This is the sixteenth survey from the Corporate Compliance Committee. As with past surveys, this review summarizes selected legal developments regarding corporate compliance and ethics programs, consisting of organizational codes of conduct, policies, and procedures designed to achieve compliance with applicable legal regulations and internal ethical standards. Prior surveys introduced the subject and annually detailed legal and practical developments in such programs. As in the past, this update assumes familiarity with the subject generally.

This Survey addresses developments in six compliance-related areas since the submission of the prior Survey and covers the period from May 1, 2024, to December 31, 2024. Part I reviews guidance and directives issued by the U.S. Department of Justice (“DOJ”) since May 1, 2024. Part II examines significant compliance cases during that period, including cases related to the Foreign Corrupt Practices Act (“FCPA”), and significant legislative activity, such as an update to filing requirements under the Corporate Transparency Act (“CTA”). Part III discusses developments in the treatment of corporate whistleblowers. Part IV addresses developments regarding the rules recently adopted by the U.S. Securities and Exchange Commission (“SEC”) that require disclosures regarding climate change. Part V reviews the Caremark doctrine and analyzes the one significant decision that applies Caremark and that was issued by a Delaware court during the covered period. Part VI examines matters before the National Labor Relations Board (“NLRB”), including its examination of various employer policies.

I. DOJ Compliance Guidance

As Professor Paul McGreal noted in prior surveys, corporate compliance has become a “system of self-governance established by a business organization seeking to conform its conduct to the demands of public policy.” Compliance consists of two elements: “[m]anagement commitment to do the right thing” and “[m]anagement steps to make this happen.” To that end, since February 2017, the Criminal Division of the U.S. Department of Justice (“DOJ”) has provided guidance on the administration of corporate compliance programs in its Evaluation of Corporate Compliance Programs, including updates in 2019, 2020, 2023, and, most recently, in September 2024 (the “2024 Evaluation Guidance”). A brief summary of the major pronouncements by the DOJ follows to provide a short history and context to the specific guidance provided in 2024.

In February 2017, the DOJ issued its inaugural Evaluation of Corporate Compliance Programs (the “2017 Evaluation Guidance”) as a resource for companies in their design and implementation of corporate ethics and compliance programs. The 2017 Evaluation Guidance provided 119 questions addressing a wide range of issues facing companies.

In April 2019, the Criminal Division of the DOJ revised and expanded upon the 2017 Evaluation Guidance. In this iteration, the DOJ offered a streamlined analysis focusing upon three core questions:

1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
3. Does the corporation’s compliance program work in practice?

In June 2020 (the “2020 Evaluation Guidance”), the DOJ closely adhered to its earlier guidance but changed the latter part of the second core question to: “In other words, is the program adequately resourced and empowered to function effectively?” The guidance stemming from those three core questions continues to this day.

While the Evaluation Guidance provides more formal advice, DOJ leaders periodically offer informal guidance through speeches and memoranda. In October 2021, Deputy U.S. Attorney General Lisa Monaco issued the “Monaco Memo.” One observer noted that the Monaco Memo signaled that the DOJ was implementing a “substantial shift toward a more aggressive approach in corporate crim[inal] matters—especially in terms of the DOJ’s expectations for the pace of corporate internal investigations and related disclosures to the DOJ.” In her memorandum, Monaco:

• Instructed the DOJ to develop further guidance on investment in new technologies, including artificial intelligence, as a tool to investigate corporations;
• Restored prior DOJ guidance—specifically the need for corporations to provide non-privileged information about all individuals involved in misconduct for eligibility for cooperation credit;
• Emphasized relevance of a corporation’s full criminal, civil, and regulatory history in making charging decisions, even if dissimilar from the conduct at issue; and
• Noted that prosecutors are free to require the imposition of a corporate monitor if appropriate.

The 2023 Evaluation Guidance provided a detailed outline of numerous factors for prosecutors to consider in “making informed decisions as to whether and to what extent, the corporation’s compliance program was effective at the time of the offense and is effective at the time of the charging decision or resolution.” To that end, prosecutors still ask the same three “fundamental questions” from the 2020 Evaluation Guidance.

A. September 2024 Update from the DOJ’s Criminal Division

On September 23, 2024, the DOJ published the 2024 Evaluation Guidance. This pronouncement maintained the three fundamental questions:

1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?

The 2024 Evaluation Guidance reiterated much of the earlier guidance but highlighted several key additions. These additions related to risks associated with new technology, including artificial intelligence; an examination of the importance of culture to compliance and particularly relating to employees’ willingness to raise issues; the protection of whistleblowers; the incorporation of “lessons learned” into compliance training and awareness programs; an emphasis upon the importance of integrating compliance principles in newly acquired businesses; and the provision of necessary resources to corporate compliance functions, including access to meaningful data. Each of these items will be analyzed separately.

1. New Technology and Artificial Intelligence

A significant point of focus of the 2024 Evaluation Guidance centered upon technology and a company’s use of technology in its business operations and for its compliance program. In a new section, the DOJ stated:

Where relevant, prosecutors should consider the technology—especially new and emerging technology—that the company and its employees are using to conduct company business, whether the company has conducted a risk assessment regarding the use of that technology, and whether the company has taken appropriate steps to mitigate any risk associated with the use of that technology.

The 2024 Evaluation Guidance continued its emphasis upon risk-based analysis and simplified its statements regarding Risk-Tailored Resource Allocation with this revised test: “Does the company deploy its compliance resources in a risk-based manner, with greater scrutiny applied to greater areas of risk?”

The 2024 Evaluation Guidance set forth a new section relating to Management of Emerging Risks to Ensure Compliance with Applicable Law. That section posed a series of new questions:

Does the company have a process for identifying and managing emerging internal and external risks that could potentially impact the company’s ability to comply with the law, including risks related to the use of new technologies? How does the company assess the potential impact of new technologies, such as artificial intelligence (AI), on its ability to comply with criminal laws? Is management of risks related to use of AI and other new technologies integrated into broader enterprise risk management . . . strategies? What is the company’s approach to governance regarding the use of new technologies such as AI in its commercial business and in its compliance program? How is the company curbing any potential negative or unintended consequences resulting from the use of technologies, both in its commercial business and in its compliance program? How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders? To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct? Do controls exist to ensure that the technology is used only for its intended purposes? What baseline of human decision-making is used to assess AI? How is accountability over use of AI monitored and enforced? How does the company train its employees and the use of emerging technologies such as AI?

2. Importance of Culture to Compliance

A strong corporate culture is central to an effective ethics and compliance regime. According to a quote attributed to corporate guru Peter Drucker, “Culture eats strategy for breakfast.” Quite simply, a company cannot act with integrity on a consistent basis without a strong culture where employees feel comfortable speaking up without fear of retaliation.

The 2024 Evaluation Guidance reflects this reality, highlighting the DOJ’s emphasis upon the creation and cultivation of a culture that actively encourages employees to speak up. The recent guidance reiterates the need for companies to incentivize this behavior and to measure employees’ willingness to do so.

3. Protection of Whistleblowers

As a necessary corollary to its point of emphasis upon creating a culture of compliance transparency, the DOJ provided additional and fairly new guidance on the protection of whistleblowers. Specifically, companies should have a written non-retaliation policy. Employees should be trained on that policy and on the company’s specific anti-retaliation processes and companies should take steps to ensure that whistleblowers are not retaliated against after reporting alleged misconduct. Such protection was emphasized with a new series of questions highlighting that notion and the importance of anti-retaliation policies:

Does the company have an anti-retaliation policy? Does the company train employees on both internal anti-retaliation policies and external anti-retaliation and whistleblower protection laws? To the extent that the company disciplines employees involved in misconduct, are employees who reported internally treated differently than others involved in misconduct who did not? Does the company train employees on internal reporting systems as well as external whistleblower programs and regulatory regimes?

4. Incorporation of “Lessons Learned”

The 2024 Evaluation Guidance also continued to emphasize the importance of learning from issues that the entity previously faced and reflecting that new knowledge by updating the entity’s compliance program:

Is there a process for updating policies and procedures to reflect lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographic region? Is there a process for updating policies and procedures to address emerging risks, including those associated with the use of new technologies?

This theme is reiterated in the section on Form/Content/Effectiveness of Training, where a new question is posed: “Has the training addressed lessons learned from compliance issues faced by other companies operating in the same industry and/or geographical region?” The emphasis upon lessons learned reiterates the basic compliance principle that willful ignorance is not a defense to wrongdoing. This notion will be illuminated below in Part II.C. which addresses the sale of defeat devices by Cummins, Inc. that enabled users to evade emission standards. Clearly, the DOJ will not and should not countenance companies misbehaving in the same or similar manners to competitors in their industries.

5. Integrating Compliance on a Post-Transaction Basis

The new guidance also considered how companies integrate compliance and risk assessment in newly acquired businesses, first examining the use of such risk assessments in the due diligence process and then examining the integration of compliance functions and principles into the new company. As to the former:

Integration in the M&A Process—. . . . Does the company account for migrating or combining critical enterprise resource planning systems as part of the integration process? To what extent did compliance and risk management functions play a role in designing and executing the integration strategy?

As to the latter:

Post-Transaction Compliance Program—What is the company’s process for implementing and/or integrating a compliance program post-transaction? Does the company have a process in place to ensure appropriate compliance oversight of the new business? How is the new business incorporated into the company’s risk assessment activities? How are compliance policies and procedures organized? Are post-acquisition audits conducted at newly acquired entities?

6. Funding and Resourcing the Compliance Function

The 2024 Evaluation Guidance added an important measure relating to the funding and resourcing of the compliance function. Clearly, prosecutors have little patience with companies that use corporate resources for core business functions like sales or procurement but fail to spend a commensurate measure on prevention and mitigation of risk through robust compliance programs. Specifically, the DOJ added a question: “Does the company have a mechanism to measure the commercial value of investments in compliance and risk management?” Once again, the issue of a company’s resource allocation is addressed by considering how a company allocates resources to compliance as compared to its business operations in the technology area:

Proportionate Resources Allocated—How do the assets, resources, and technology available to compliance and risk management compare to those available elsewhere in the company? Is there an imbalance between the technology and resources used by the company to identify and capture market opportunities and the technology and resources used to detect and mitigate risks?

Data and Transparency—To what extent does the company have access to data and information to identify potential misconduct or deficiencies in its compliance program? Can the company demonstrate that it is proactively identifying either misconduct or issues with its compliance program at the earliest stage possible?

Measurement—How and how often does the company measure the success and effectiveness of its compliance program?

B. November 2024 Update from the DOJ’s Antitrust Division

On November 12, 2024, the Antitrust Division of the DOJ released its updated guidance for evaluating corporate compliance programs (the “2024 Antitrust Guidance”), superseding its original 2019 compliance guidance. The 2024 Antitrust Guidance is consistent in tone and message with the DOJ’s 2024 Evaluation Guidance and other informal guidance. An exhaustive review of the 2024 Antitrust Guidance exceeds the scope of this Survey, but an area worth mentioning relates to the division’s commentary on ephemeral messaging.

The 2024 Antitrust Guidance stated that the Antitrust Division will now consider any “electronic communication channels” a company and its employees use or allow to be used for business purposes. The Antitrust Division will also consider:

What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels? Does the company have clear guidelines regarding the use of ephemeral messaging or non-company methods of communication including the extent to which those communications are permitted and when employees must preserve those communications? What preservation or deletion settings are available, and what is the rationale for the company’s approach to what settings are permitted?

A leading voice in the compliance industry, Joe Murphy, took issue with the DOJ’s treatment of ephemeral messaging. He listed ten reasons why the DOJ overreached and misused its authority in this area. Focusing on his strongest arguments, Murphy contended that:

The government is using compliance programs as a lever to extend these narrowly targeted rules to everyone else. There is no legislation supporting this. There has been no consideration of the First Amendment threat from the government attempting to regulate how we communicate.

There are already laws that cover the government’s concerns: We cannot obstruct investigations or engage in misprision of felony. Company policies only need to cover this . . . 

Controlling how everyone in an organization communicates and records their communications is a fool’s errand. As difficult as the compliance job is, this will destroy the compliance program’s credibility and divert it from preventing real crimes and misconduct.

Murphy presented other strong arguments against the DOJ’s increased focus on ephemeral messaging. He compared this enhanced focus with the DOJ’s historic attempts to condition prosecutorial leniency on waiver of the attorney-client privilege.

The Fifteenth Survey considered some practical steps that companies could take in response to the DOJ’s ephemeral messaging guidance, including integrating ephemeral messaging platforms into the company’s information governance program, assessing the company’s use of ephemeral messaging, adopting appropriate written policies regarding ephemeral messaging, and providing training and awareness campaigns.

II. Significant Compliance and FCPA Cases and Legislative Activity

A. Significant Cases

1. TD Bank, N.A.

On October 10, 2024, the Financial Crimes Enforcement Network (“FinCEN”), a bureau of the U.S. Treasury Department and the Office of the Comptroller of the Currency (an independent bureau within the U.S. Treasury Department), announced a settlement with TD Bank, N.A. for its systemic failure to implement an adequate compliance program regarding the Bank Secrecy Act (“BSA”), which is the primary anti-money laundering (“AML”) law that also prevents the financing of terrorism. TD Bank “pleaded guilty to conspiring to fail to maintain an [AML] program that complies with the BSA, fail[ing] to file accurate Currency Transaction Reports . . . , and launder[ing] money.” TD Bank admitted that its program “was neither appropriately designed nor adequately resourced to mitigate the actual illicit finance risks that it faced on multiple fronts.”

TD Bank’s misconduct was egregious. U.S. Attorney General Merrick B. Garland summarized the case this way, “By making its services convenient for criminals, it became one.” From January 2014 through October 2023, TD Bank failed to monitor nearly 90 percent of its transactions totaling over $18.3 trillion! Specifically, TD Bank deliberately did not monitor all domestic automated clearinghouse transactions, most check activity, and numerous other transactions. For example, TD Bank failed to scrutinize money laundering of over $400 million by the Da Ying Sze syndicate of China earned through the illicit sale of fentanyl in the United States. The Sze syndicate allegedly bribed TD Bank employees to permit large cash deposits, which sometimes exceeded $1 million in a single day. Those amounts far exceeded the threshold amount of $10,000 required as a suspicious transaction.

Executives enforced a zero-growth budgetary mandate for its compliance and other control functions, which it called internally the “flat cost paradigm.” As Mike Volkov noted, “TD Bank’s transaction monitoring program remained effectively static, and did not adapt to address known, glaring deficiencies; emerging money laundering risks; or TD Bank’s new products and services.”

The Consent Decree outlines the breadth and depth of TD Bank’s failures as it essentially intentionally underfunded its AML compliance program for years, even as its business boomed. As Nicole Argentieri, the head of DOJ’s Criminal Division said, “For nearly a decade, TD Bank failed to update its [AML] compliance program to address known risks.” The indictment against TD Bank underscored that intent:

The Defendants did not substantively update the Bank’s automated transaction monitoring system from at least 2014 through 2022—including to address known gaps and vulnerabilities in the [Bank’s] transaction monitoring program—despite increases in the volume and risk of its business and significant changes in the nature and risk of transactional activity.

What sets TD Bank’s actions apart from other historic scandals was that the wrongdoing went well beyond corporate indifference or merely casting a blind eye to bad or even illegal behavior. The leaders consciously decided not to fund the compliance program and knew that, by doing so, they were failing to meet legal and industry standards—all as part of a corporate strategy. A leading commentator, Matt Kelly of Radical Compliance, wrote, “Suffice to say, TD Bank chose this path of a cheapskate compliance program, consequences be damned. Those consequences were known and documented—and then ignored, for years, all to achieve a clearly stated strategy.”

Besides agreeing to pay more than $3 billion in criminal and civil penalties, TD Bank agreed to undertake the following corrective actions:

• Establish a dedicated, board-level compliance committee;
• Draft and implement a plan to overhaul its AML compliance program;
• Hire an independent compliance consultant to review the bank’s compliance program;
• Hire a senior-level AML compliance officer; and
• Adequately staff its AML compliance program.

Lisa Monaco of the DOJ specifically warned banking leadership and compliance officials: “Every bank compliance official in America should be reviewing today’s charges as a case study of what not to do. And every bank CEO and board member should be doing the same. Because if the business case for compliance wasn’t clear before—it should be now.”

2. McKinsey & Company

On December 13, 2024, a management consulting firm, McKinsey & Company (“McKinsey”), agreed to pay $650 million for its role in the opioid crisis. McKinsey represented Purdue Pharma L.P. (“Purdue”), the maker of OxyContin. McKinsey advised Purdue on strategies to increase sales of that product despite Purdue’s 2007 guilty plea for misbranding that product. McKinsey did not admit liability but entered into a five-year deferred prosecution agreement (“DPA”) to resolve criminal and civil investigations by the DOJ. As part of its settlement with the DOJ, McKinsey will pay approximately $650 million, which is comprised of a $231 million penalty, a $93 million penalty in forfeited payments received from Purdue between 2004 and 2019, a $2 million penalty payable to the Virginia Medicaid Fraud Control Unit, and a $323 million civil penalty to address its liability under the False Claims Act. Importantly, McKinsey had previously agreed to pay approximately $900 million to settle various state and local actions arising from the opioid crisis.

In the federal case, McKinsey advised Purdue on how to “turbocharge sales” of OxyContin despite knowing the dangers of that product and the nationwide addiction crisis from it. At a news conference announcing the settlement, Christopher Kavanaugh, U.S. Attorney for the Eastern District of Virginia, said, “It was a strategy, it was executed and it worked. McKinsey’s strategy resulted in prescriptions for OxyContin that were unsafe and medically unnecessary.”

McKinsey’s settlement with the DOJ in the OxyContin case is important for several reasons. First, as Kavanaugh noted at the press conference, “This resolution marks the first time a managerial consulting firm has been criminally responsible for advice it has given resulting in the commission of a crime by a client.” As Joshua Levey, U.S. Attorney for the District of Massachusetts, noted, “[This] groundbreaking resolution makes clear our office’s commitment to holding powerful companies accountable for their part in the opioid epidemic, even if they did not make, sell, or dispense the drugs.” A corporate entity clearly does not need to be the primary or lead player in wrongdoing to face DOJ scrutiny. Second, McKinsey agreed that it will not do any work relating to the marketing, sale, or distribution of any controlled substances for the five-year term of the DPA. Third, as part of the global settlement, McKinsey agreed to implement a company-wide compliance program, which, according to the DOJ, will include a “system of policies and procedures designed to identify and assess high-risk client engagements.”

A former McKinsey partner, Martin Elling, agreed to plead guilty to a felony count of obstruction of justice for destroying Purdue records from his McKinsey laptop. Under his plea agreement, Elling faces up to a year in prison. According to his attorney, Elling “sincerely regrets his conduct for which he has fully accepted responsibility.”

3. Cummins, Inc.

In January 2024, the DOJ, the Environmental Protection Agency (“EPA”), and the state of California finalized a settlement agreement with Cummins, Inc. (“Cummins”)—which manufacturers engines—that required the company to pay a $1.657 billion penalty for vehicle emission control violations under the Clean Air Act (“CAA”). According to the EPA, this represented “the largest civil penalty in the history of the [CAA] and the second largest environmental penalty ever.” The EPA alleged that Cummins developed engine software to pass emissions tests while increasing nitrogen oxide emissions, as well as creating additional illegal defeat device software for Dodge Ram trucks. Defeat devices are designed specifically to circumvent emission reduction standards and were at the center of the Volkswagen “Dieselgate” scandal. In the Volkswagen scandal, the company designed and installed software on its vehicles that could detect when they were being tested for emissions compliance and then change the vehicle’s performance to improve results to ensure a passing score on emissions tests. Volkswagen settled the DOJ’s and EPA’s claims against it and has paid more than $30 billion in fines, penalties, and settlements worldwide for its wrongdoing.

In the Cummins matter, the EPA stated that “testing has shown that there is an increase in harmful nitrogen oxides . . . emissions from these vehicles,” which “contributes to harmful smog producing ozone and exposure to fine particulate matter that gets lodged in the lungs.” Such exposure may result in severe health consequences for children, the elderly, and those with pre-existing respiratory illnesses.

In addition to the $1.657 billion civil penalty, Cummins must recall and repair the illegal software and remove the defeat device mechanisms from affected vehicles to ensure compliance with the emissions standards of the EPA and the California Air Resources Board (“CARB”). The EPA estimates that approximately 630,000 vehicles are subject to this recall. Cummins must also pay CARB $175 million to support various mitigation projects, including those that “repower outdated locomotive engines with newer, cleaner technology and install idle reduction technology.” As in the McKinsey matter, Cummins must also implement compliance programs designed to prevent future violations of applicable law, including the CAA.

4. Boar’s Head

In July 2024, the U.S. Department of Agriculture (“USDA”) announced an expansion of the recall by Boar’s Head of deli meats produced at its plant in Jarratt, Virginia, after a listeria outbreak killed ten and resulted in at least sixty hospitalizations. The USDA’s Food Safety and Inspection Service (“FSIS”) found that inadequate sanitation at the plant largely contributed to the listeria outbreak.

The FSIS ordered a series of changes designed to enhance the regulatory and sampling approach to prevent and detect listeria at the company’s facilities. Boar’s Head must update its training and establish procedures to identify and respond to systemic food safety issues. Boar’s Head closed its Jarrett, Virginia, facility in November 2024.

5. Deere & Company

On September 10, 2024, the SEC announced that Deere & Company had agreed to pay $9.9 million to resolve charges that it had violated the FCPA. The charges arose from bribes paid by Deere’s wholly owned subsidiary, Wirtgen Thailand, from 2017 through 2020.

The subsidiary’s employees entertained Thai government officials at massage parlors. Those expenses were approved by Wirtgen supervisors and the charges were entered in the company ledger as legitimate expenses with little or no specification. Beyond the visits to the massage parlors, this Deere subsidiary paid for four Thai officials and two of their spouses to ostensibly visit a Deere factory in Germany. The officials, however, never visited the factory and their trip itinerary did not even include a reference to a factory visit. Instead, the six visitors traveled to Interlaken, Zermatt, and Lake Lucerne with no legitimate business purpose involved. Deere paid over $47,000 for the trip, which resulted in it receiving over $1.9 million in equipment orders from the Thai government.

6. The Proposed Boeing Monitorship

On December 5, 2024, Judge Reed O’Connor of the U.S. District Court for the Northern District of Texas rejected the proposed plea agreement between the DOJ and the Boeing Company. The parties tried to settle the ongoing case resulting from two fatal crashes of the same model plane manufactured by Boeing—the 737 Max. The proposed plea agreement would have required Boeing to plead guilty to one count of conspiracy and pay a fine of $487 million.

Judge O’Connor rejected the proposed agreement for two primary reasons. First, he took issue with the DOJ’s attempt to supplant the court’s responsibilities. Specifically, he objected to the DOJ reserving to itself the right to approve the monitor, rather than the court itself:

The plea agreement’s process for selecting the anti-fraud monitor, including prohibiting the Court from considering violations of the monitor’s anti-fraud recommendations, improperly marginalizes the Court. The Government has monitored Boeing for three years now. It is not clear what all Boeing has done to breach the . . . DPA . . . . The victims assert the “Government was forced to find that Boeing violated the DPA after the door fell off the Alaska airplane.” Boeing hints that it may have legitimate arguments in opposition to the Government’s determination of breach. Regardless, taken as true that Boeing breached the DPA, it is fair to say the Government’s attempt to ensure compliance has failed. . . . At this point, the public interest requires the Court to step in. Marginalizing the Court in the selection and monitoring of the independent monitor as the plea agreement does undermine public confidence in Boeing’s probation . . . .

Second, Judge O’Connor also objected to the DOJ’s diversity-and-inclusion policies and how those policies might apply to the selection of the monitor.

The Court is concerned with the Government’s shifting and contradictory explanations of how the plea agreement’s diversity-and-inclusion provision will practically operate in this case. While the Government assures the Court that the Government will consider all possible monitors (i.e., all backgrounds, etc.) but will choose a monitor solely based on merit and talent, the Court is skeptical of this assertion.

Two leading voices in the compliance field, Todd Haugh of Indiana University and Hui Chen, the former Compliance Counsel Expert for the Fraud Section of the Criminal Division of the DOJ, recently published an exhaustive article examining monitorships, their role in corporate compliance, and the selection process in such matters. Their paper focuses upon “whether a monitor can demonstrate measurable behavioral change within the monitored organization.” Their work has direct bearing upon issues relating to the selection of a monitor in the Boeing case, and they note that DOJ guidance on the selection of monitors is vague, at best. In analyzing another case, they outlined several requirements for any prospective monitor:

• a. demonstrated expertise with respect to the FCPA and other applicable anticorruption laws . . . ;
• b. experience designing and/or reviewing corporate compliance policies, procedures, and internal controls, including [for] FCPA and anti-corruption . . . ;
• c. the ability to access and deploy resources as necessary to discharge the Monitor’s duties . . . ; and
• d. sufficient independence from the Company . . . .

Haugh and Chen proposed a robust structure relating to corporate monitorships and the selection of monitors.

While this Survey primarily examines the corporate compliance world from May 2024 through December 2024, earlier DOJ guidance relating to corporate monitorships merits mention.

The original guidance on this subject was provided in the Morford Memo. That memo, written by Deputy Attorney General Craig Morford, outlined nine “principles” governing the selection, structure, and responsibilities of corporate monitors. Morford’s first principle applies to the Boeing monitorship:

1. Principle: Before beginning the process of selecting a monitor in connection with deferred prosecution agreements and non-prosecution agreements, the corporation and the Government should discuss the necessary qualifications for a monitor based on the facts and circumstances of the case. The monitor must be selected based on the merits. The selection process must, at a minimum, be designed to: (1) select a highly qualified and respected person or entity based on suitability for the assignment and all of the circumstances, (2) avoid potential and actual conflicts of interest, and (3) otherwise instill public confidence by implementing the steps set forth in this Principle.

Other than “select[ing] a highly qualified and respected person . . . avoid[ing] . . . conflicts of interest” and “otherwise instill[ing] public confidence,” instruction on the attributes of a monitor remain indefinite. Morford expanded on the First Principle: “Each United States Attorney’s Office and Department component shall create a standing or ad hoc committee . . . of prosecutors to consider the selection or veto, as appropriate, of monitor candidates.”

Haugh and Chen propose several compelling reforms to the monitorship process. As pertinent to the Boeing matter, they advocate minimal qualifications for monitors, including:

(a) proven experience in developing and implementing compliance programs in companies similar in risk profile . . . ; (b) proven abilities in measuring not only compliance efforts, such as head counts, spend, and hours of training, but outcomes evidenced by behavioral change; (c) proven capabilities in at least basic compliance-related data analytics; (d) proven capabilities in assessing and measuring organizational culture; and (e) proven abilities employing a scientific mindset, understanding the objectives of the monitorship, and working constructively with the company and the appointing authority.

Moreover, given such qualifications, one should assess the monitorship team as a whole and not simply the individual monitor.

Furthermore, during the first Trump administration, the Assistant Attorney General for the DOJ’s Criminal Division, Brian Benczkowski, authored a memo outlining steps for selecting corporate monitors (“Benczkowski Memo”). Not surprisingly, that guidance veered from previous directives. Specifically, the Benczkowski Memo added a requirement that prosecutors consider whether the monitor’s role would cause “unnecessary burdens” to the corporation in question. Prosecutors were directed to impose monitors only when the “demonstrated need for, and clear benefit to be derived from, a monitorship” outweighed the costs and burdens of such a monitorship. Given President Trump’s election to a second term, one should expect a return to a pro-business position comparable to that of the Benczkowski Memo.

The following is a summary of DOJ guidance, significant cases, and settlements from the second half of 2024:

1. The DOJ continues to actively encourage companies to self-disclose possible violations of law at every opportunity;
2. The DOJ expects companies to use the same or similar technologies to advance compliance and risk management goals that they use for sales or other business objectives;
3. Retention of ephemeral messaging will remain a key area of focus and perhaps the subject of increased controversy, given concerns voiced about it; and
4. Third parties, including consultants like McKinsey, will receive scrutiny for wrongdoing even if they are not the primary offender.

B. Legislative Update

The CTA represents the Treasury Department’s attempt to identify the true “beneficial owners” of businesses created in or registered to do business in the United States as part of the Anti-Money Laundering Act of 2020. The enforceability of the CTA has yet to be determined, as will be discussed below. The CTA allows the Treasury Department to ascertain the true beneficial owners of businesses by getting behind the array of shell companies designed to hide or camouflage who owns or controls the assets of various entities. The purpose of the CTA is to require “entities to submit beneficial ownership information to FinCEN and provid[e] timely access to this information to law enforcement, financial institutions, and other authorized users . . . to help combat corruption, money laundering, terrorist financing, tax fraud, and other illicit activity.”

The CTA requires “reporting companies” to disclose information regarding an entity’s beneficial owners, effective as of January 2024. Reporting companies may be organized domestically or abroad, and include corporations, limited liability companies, and other entities created by filing a document with a secretary of state (or foreign equivalent). A qualifying legal entity must furnish identifying information to FinCEN concerning the person or persons who beneficially own and control the entity.

Not surprisingly, there were immediate challenges to the CTA. Two cases are noteworthy for this survey. First, on March 1, 2024, Judge Liles C. Burke of the Northern District of Alabama ruled that the terms of the CTA were unconstitutional in National Small Business United v. Yellen, concluding that the CTA “cannot be justified as an exercise of Congress’s enumerated powers.” The court stayed reporting obligations under the CTA only with respect to the named plaintiffs: “Other than the particular individuals and entities subject to the court’s injunction . . . , reporting companies are still required to comply with the [CTA] and file beneficial ownership reports as provided in FinCEN’s regulations.” The government appealed the decision, and the U.S. Court of Appeals for the Eleventh Circuit heard oral argument on the matter on September 27, 2024.

Second, on December 3, 2024, Judge Amos L. Mazzant of the U.S. District Court for the Eastern District of Texas preliminarily enjoined the CTA because it was “likely unconstitutional.” Judge Mazzant’s preliminary injunction applied nationwide, specifically invoking the stay provisions of the Administrative Procedure Act.

Like Judge Burke, Judge Mazzant held that the CTA likely exceeded Congress’s authority under the Commerce Clause and that the CTA could not be “upheld as a necessary and proper component of Congress’s commerce power.” Moreover, Judge Mazzant questioned whether Congress was regulating foreign affairs and whether Congress benefited from the attendant Necessary and Proper Clause. Finally, Judge Mazzant rejected the government’s arguments that, in the CTA, Congress was exercising its taxing power and the powers attendant thereto under the Necessary and Proper Clause.

Members of President Trump’s incoming administration criticized the CTA. Next year’s Survey will detail actions by the Trump administration, but this Survey highlights certain recent actions. On February 27, FinCEN announced that no fines or penalties would be issued, and no enforcement actions would be initiated, until after a forthcoming rule had been issued and become effective. On March 2, the Treasury Department announced:

[W]ith respect to the [CTA], not only will it not enforce any penalties or fines associated with the beneficial ownership information reporting rule under the existing regulatory deadlines, but it will further not enforce any penalties or fines against U.S. citizens or domestic reporting companies or their beneficial owners after the forthcoming rule changes take effect either.

To formalize that announcement, the Treasury Department subsequently adopted an interim rule. Given the flux surrounding the CTA, companies should retain counsel and monitor developments regarding the CTA.

III. Whistleblowers

A. Whistleblower Incentive Programs

On August 1, 2024, the DOJ announced its own whistleblower program, the Corporate Whistleblower Awards Pilot Program (“DOJ Whistleblower Program”). The DOJ Whistleblower Program is intended to supplement and not replace other similar federal programs, such as the incentive programs provided by the SEC, the Commodity Futures Trading Commission, and FinCEN.

The DOJ will provide financial incentives for a whistleblower or reporter who provides original, truthful, non-public information that is not already known to the government. Moreover, the reporter cannot be involved in the criminal activity. The matter must be outside the scope of existing financial disclosure incentive programs, including other federal whistleblower regimes and federal qui tam statutes.

The information supplied by the reporter must relate to one of the following areas:

1. Certain crimes involving financial institutions;
2. Foreign corruption involving misconduct by companies;
3. Domestic corruption involving misconduct by companies; or
4. Health care fraud schemes involving private insurance plans.

The DOJ Whistleblower Program provides a possible safe harbor for companies that voluntarily self-report misconduct within 120 days of receiving an internal whistleblower report.

Critics denounced the new DOJ Whistleblower Program. Stephen Kohn, an attorney and chairman of the National Whistleblower Center, charged that the new program “missed the target” by “making the program discretionary, capping the amount of awards, blocking the best informants from coverage, and placing a major caveat on the right to file anonymous claims.”

The second half of 2024 saw other activity in Whistleblower Programs. For example, the Department of Transportation’s National Highway Traffic Safety Administration (the “NHTSA”) published its final rules for its Auto Safety Whistleblower Program on December 12, 2024. The NHTSA’s rules parallel other government programs, including a requirement that the reporter provide original information leading to a successful enforcement action with over $1 million in penalties.

B. Significant Whistleblower Awards

The SEC made several significant whistleblower awards in August 2024. In one matter, a pair of whistleblowers were awarded a total of $98 million for providing information and assistance, with one reporter receiving $82 million and the second receiving $16 million. In another matter, a total of $24 million was awarded to two whistleblowers, $4 million to the first reporter, and $20 million to the second reporter whose “information and substantial cooperation proved critical to the success of the [enforcement] actions.” The Dodd-Frank Act specifically protects the confidentiality of whistleblowers and the SEC does not disclose any information that could reveal a whistleblower’s identity.

IV. SEC Climate Change Rules

The SEC’s long-awaited rules requiring disclosure on climate change remain on life support at best. By way of background, on March 6, 2024, the SEC issued rules requiring disclosures by publicly traded companies in the United States and by any “foreign private issuer” (the “Climate Change Rules”). After nearly two years of deliberations, the SEC required climate disclosures in companies’ annual reports in their Form 10-Ks and Form 20-Fs.

Immediately after the SEC adopted the Climate Change Rules, litigants challenged the validity of those rules in multiple jurisdictions. Those lawsuits primarily focused upon three arguments: first, the rules exceeded the SEC’s statutory authority; second, they violated the First Amendment; and third, they were arbitrary and capricious under section 706(2)(A) of the Administrative Procedure Act. These arguments reflected positions taken by SEC Commissioners Hester Peirce and Mark Uyeda when dissenting from the adoption of the Climate Change Rules. Ten states filed a petition for review in the Eleventh Circuit to block the Climate Change Rules. Patrick Mooney, West Virginia’s Attorney General, argued that the rules were “illegal,” “unconstitutional,” and “not tethered to clear statutory authority.” On March 21, 2024, the case challenging the SEC’s authority was assigned to the Eighth Circuit. The SEC then issued a voluntary stay of its rules on April 4, 2024, stating: “[T]he Commission has discretion to stay its rules pending judicial review if it finds that ‘justice so requires.’ The Commission has determined to exercise its discretion to stay the [Climate Change] Rules pending the completion of judicial review of the consolidated Eighth Circuit petitions.”

One firm opined that the “case is likely to go on for some time. The litigation concerning the SEC’s conflict minerals rule went on for more than four years.” That firm emphasized that, while the SEC stayed the Climate Change Rules, the SEC explicitly noted that its order “does not stay any other Commission rules of guidance,” before citing its 2010 climate guidance.

Regardless of the ongoing litigation before the Eighth Circuit, the ultimate implementation of the Climate Change Rules seems improbable at best. Chairman of the U.S. Securities and Exchange Commission, Paul Atkins, has already indicated that he will not support the implementation of the Climate Change Rules, calling them “a burden to corporate America.” Moreover, Atkins wrote that the SEC should “retract and rethink its planned disclosure rule” in an opinion column published by the Wall Street Journal. Moreover, Acting Chair Uyeda directed the SEC to pause its defense of the Climate Change Rules.

V. Caremark Update—Significant Delaware Court Case in Late 2024

In previous surveys, Professor McGreal provided updates on the monitoring duty imposed on directors under Delaware corporate law, as established in In re Caremark International Inc. Derivative Litigation. In fact, this tradition dates to the inaugural Survey. This Survey will continue that practice. Section A briefly reviews the origin and nature of the Caremark claim. Section B examines the one significant Delaware decision since the last Survey that construed and applied Caremark.

A. The Caremark Claim

In dicta in its 1996 decision in In re Caremark International Inc. Derivative Litigation, the Delaware Court of Chancery addressed the directors’ duty to oversee a corporation’s legal compliance efforts. As part of its duty to monitor a corporation, the board must make good-faith efforts to ensure that a corporation has adequate reporting and information systems. The court described the claim for breach of that duty as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” with liability attaching only for a “sustained or systematic failure of the board to exercise oversight” or “an utter failure to attempt to assure a reasonable information and reporting system exists.”

Soon after the Caremark decision, this directive evolved into what has become known as a Caremark claim. Considering that decision, courts have widely recognized a cause of action against boards for failing to take minimal steps to achieve legal compliance. As the phrases “systematic failure” and “utter failure” suggest, a board’s Caremark duty is relatively low. Only egregious lapses breach this duty, such as when board members ignore obvious red flags signaling illegal behavior, fail to appoint or convene an audit committee, or fail to address obvious concerns, such as large loans to corporate insiders.

B. In re TransUnion Derivative Stockholder Litigation

One Delaware court considered the Caremark doctrine during this Survey period. On October 1, 2024, the Delaware Court of Chancery dismissed the plaintiffs’ complaint against the directors of TransUnion, reiterating that plaintiffs must scale a high bar to impose liability upon directors for a compliance breach.

TransUnion is an American consumer credit reporting agency, collecting and rating financial information for over a billion consumers. The plaintiffs claimed that the directors breached their fiduciary duty by permitting non-compliance with a previously entered consent order with the Consumer Financial Protection Bureau (the “CFPB”). The CFPB had investigated TransUnion’s marketing practices—focusing upon its disclaimers, notice provisions, and language—and claimed that the company’s practices violated federal law.

TransUnion entered a consent decree with the CFPB, agreeing to take remedial steps, including the addition of a header with the phrase “What You Need to Know,” using text twice the size of other disclosures. TransUnion also agreed to provide a “simple mechanism for a consumer to immediately cancel” the credit reporting service. The company also hired outside counsel to oversee those remedial steps. That attorney was a former CFPB enforcement attorney. TransUnion’s executive team regularly informed the board of the steps taken and the status of the remedial plan.

Two years after TransUnion entered the consent decree, the CFPB notified the company of potential violations, despite it taking several corrective actions. A group of TransUnion’s stockholders filed a derivative action alleging that the board breached its fiduciary duties. The complaint included a Massey claim and a Caremark claim “for consciously disregarding TransUnion’s non-compliance with the consent order.”

The Delaware Chancery Court dismissed the plaintiffs’ complaint noting that the threshold for liability based on failed oversight is “quite high” and requires a “lack of good faith as evidenced by sustained or systematic failure of a director to exercise reasonable oversight.” The court further noted that “[d]irectors who ‘try’ to implement and attend to a ‘reasonable board-level system of monitoring and reporting’ have met their baseline duty.”

The court then analyzed the three ways in which breach of fiduciary duty claims against directors are pleaded. In the first, plaintiffs often claim that “directors and officers purposely caused the corporation to break the law in pursuit of greater profits,” citing Massey as an example. In the second, plaintiffs may claim that the “board knowingly failed to implement a system to monitor legal compliance,” pointing to Marchand as a classic instance. In the third, the plaintiffs submit a combination of the first two theories where the board established a compliance system but allegedly acted in bad faith by consciously disregarding the red flags produced by the compliance system.

The Delaware Chancery Court dismissed the plaintiffs’ claims, citing the board’s oversight of the situation and that the board took several affirmative steps to ensure compliance with the consent order. TransUnion immediately changed its website to correct the notice requirements and immediately paid the fine to the CFPB. The board hired a former CFPB enforcement attorney. In short, the court ruled that a “sincere effort by directors to fulfill their oversight duties removes even the potential for personal liability.” The standard for proving personal liability of directors for monitoring failures is a high one, indeed.

VI. NLRB Update

A. Non-Compete Agreements

In a memorandum released in May 2023, NLRB General Counsel Jennifer Abruzzo opined that, except in limited circumstances, non-compete agreements violate section 8(a)(1) of the National Labor Relations Act (“NLRA”) (the “Abruzzo May 2023 Memo”). Non-compete agreements may only be used where “special circumstances” justify the infringement on employee rights. Examples of these “special circumstances” include agreements that restrict an employee’s managerial or ownership interests in a competitor or agreements involving independent contractors. A desire to avoid competition from a former employee or to protect proprietary or trade secret information does not generally constitute “special circumstances.” This position does not apply to supervisory employees, as they are not covered by the NLRA.

On April 23, 2024, the Federal Trade Commission (“FTC”) adopted a rule banning most non-compete clauses as an “unfair method of competition.” The FTC estimated that its ban would affect over thirty million workers nationwide. The rule would have become effective on September 4, 2024, but courts enjoined its enforcement.

The FTC’s rule prohibited future non-compete agreements, as well as rendering many existing non-competes unenforceable. The rule, however, provided three narrow exceptions. First, the rule would not invalidate any existing non-compete agreement with a “senior executive,” meaning one that earns more than $151,164 annually and that is in a “policy-making position.” Second, the rule would not apply to non-compete agreements entered into in the course of a sale of a business. Third, in most cases, nonprofit organizations would be exempt from the rule.

Within hours of the FTC announcing its new rule, litigants challenged the rule in several federal courts. The plaintiffs sought to invalidate the FTC’s rule, contending that the FTC lacked the authority to prohibit non-compete agreements. On August 20, 2024, in Ryan LLC v. Federal Trade Commission, the District Court for the Northern District of Texas granted the plaintiffs’ motions for summary judgment and set aside the FTC’s Non-Compete Rule.

On October 7, 2024, NLRB General Counsel Jennifer Abruzzo issued further commentary relating to non-compete agreements (the “Abruzzo October 2024 Memo”). Abruzzo argued that non-compete agreements and “stay-or-pay” agreements are illegal under section 7 of the NLRA because they restrict employee mobility, consistent with her earlier guidance.

In the Abruzzo May 2023 Memo, she opined that, except in limited circumstances, non-compete agreements violate section 8(a)(1) of the NLRA. She based that conclusion upon several factors, including that non-competes:

• Deny employees the ability to quit or change jobs;
• Discourage employees from threatening to resign to negotiate better terms and conditions of employment;
• Chill employees from concertedly seeking or accepting employment with a local competitor; and
• Prevent employees from organizing to seek employment at another workplace, which may allow them greater ability to engage in protected activity.

In the Abruzzo October 2024 Memo, she detailed remedies for employees who claim that a non-compete agreement or a “stay-or-pay” provision prevented them from gaining other employment. To obtain relief for the latter, an employee must show that: “(1) there was a vacancy available for a job with a better compensation package; (2) they were qualified for the job; and (3) they were discouraged from applying for or accepting the job because of the stay-or-pay provision.”

Although outside the Survey period, it merits mention that, in February 2025, the NLRB’s Acting General Counsel rescinded the memoranda issued by Abruzzo in May 2023 and October 2024.

B. NLRB Bans “Captive-Audience Meetings”

In a major decision late in President Biden’s term, the NLRB banned “captive-audience meetings.” On November 13, 2024, the NLRB ruled that captive-audience meetings are unlawful, thereby prohibiting an employer from requiring employees to attend a meeting specifically for the purpose of the employer expressing its opinion about unionization. This ruling overturned over seventy-five years of precedent on the subject.

In a case involving Amazon.com employees, the NLRB held that captive-audience meetings violate section 8(a)(1) of the NLRA because mandatory meetings “have a reasonable tendency to interfere with and coerce employees in the exercise of their Section 7 right to freely decide whether or not to unionize, including the right to decide whether, when, and how they will listen to and consider their employer’s views concerning that choice.”

The NLRB emphasized that an employer may lawfully hold meetings with employees to express its views on unionization if the employer follows its “safe harbor” rule:

[A]n employer will not be found to have violated section 8(a)(1) if, reasonably in advance of the meeting, it informs employees that:

1. The employer intends to express its views on unionization at a meeting at which attendance is voluntary;

2. Employees will not be subject to discipline, discharge, or other adverse consequences for failing to attend the meeting or for leaving the meeting; and

3. The employer will not keep records of which employees attend, fail to attend, or leave the meeting.

The NLRB chair presiding over the Amazon case, Lauren McFarren, left that position on December 16, 2024, when her term expired. On January 20, 2025, President Trump elevated Marvin E. Kaplan from a member of the board to chairman of the NLRB. At the time of submission of this Survey, there were two vacancies on the five-member board. President Trump’s nominees presumably will be less sympathetic to the employees’ position.