A Progression Toward DOJ’s New Approach to Corporate Compliance Evaluation
The Department created its Evaluation of Corporate Compliance Programs (ECCP) in 2017 to assist prosecutors in their assessment of the strength of a corporation’s compliance programming. DOJ prosecutors are instructed to consider certain factors when investigating a corporation, determining whether to bring charges, and negotiating a resolution. Using the ECCP guidelines, prosecutors are supposed to answer three fundamental questions: (1) Is the corporation’s compliance program well designed? (2) Is the program being applied earnestly and in good faith? and (3) Does the corporation’s compliance program work in practice? See U.S. Dep’t of Just. Crim. Div., Evaluation of Corporate Compliance Programs (updated Mar. 2023).
In February 2023, the Department rolled out a corporate self-disclosure policy to be applied across all U.S. Attorney’s Offices throughout the country. See U.S. Att’ys Off., Voluntary Self-Disclosure Policy (updated Mar. 7, 2024). This policy encourages prompt self-disclosure of potential wrongdoing and cooperation in exchange for more lenient resolutions, including the possibility of a declination.
The Department then made a series of significant compliance-related revisions to the ECCP in March 2023. See U.S. Dep’t of Just. Crim. Div., supra. They centered on two major topics: (1) company policies regarding the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications, and (2) information regarding the use of company compensation structures, including the use of financial penalties such as clawback provisions, to disincentivize corporate misconduct. See id.
With respect to personal devices and messaging applications, the March 2023 revisions specifically address the potential perils of “bring your own device” (BYOD) programs. See id. Prosecutors will now consider whether corporate policies regarding the use of personal devices are specifically tailored to each company’s risk profile and business needs. Successful compliance programs should include the ability to preserve and access data located on employees’ BYOD devices, including personal, encrypted, and/or ephemeral messaging applications, subject to applicable privacy and local laws. Id. The DOJ is not the only enforcement entity focused on encrypted and ephemeral messaging. In June 2024, the European Commission (Commission) fined International Flavors & Fragrances, Inc. €15.9 million when one of its senior executives intentionally deleted WhatsApp messages exchanged with a competitor, in obstruction of the Commission’s antitrust inspection of the company. The Commission noted this was the first time it had imposed a fine for the deletion of messages exchanged via social media application on a mobile phone, and the fine rewarded the company’s proactive cooperation with investigators, including helping to recover the deleted data. Id.
Regarding compensation structures, the March 2023 ECCP revisions instruct prosecutors to consider, among other factors, “whether a company has incentivized compliance by implementing compensation systems that defer or escrow certain compensation tied to conduct consistent with company values and policies.” Id. DOJ will also consider “whether provisions for recoupment or reduction of compensation due to compliance violations or misconduct are maintained and enforced in accordance with company policy and applicable laws.” Id.
In connection with the March 2023 ECCP revisions relating to compensation, on March 15, 2023, the Department launched its first-ever Compensation Incentives and Clawbacks Pilot Program (Clawback Pilot Program), aimed at encouraging companies to incentivize employee compliance through compensation. Memorandum, U.S. Dep’t of Just., The Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks (Mar. 3, 2023). The Clawback Pilot Program provides incentives for companies that penalize executives and other employees engaged in corporate misconduct through clawbacks of bonuses or other benefits. DOJ Deputy Attorney General (DAG) Lisa Monaco stated that the aim of the program is “to shift the burden of corporate wrongdoing away from shareholders, who frequently play no role in misconduct, onto those directly responsible.” See Lisa Monaco, Dep. Att’y Gen., Remarks at American Bar Association National Institute on White Collar Crime (Mar. 2, 2023).
The three-year pilot program reflects a mixture of carrots and sticks: A company may qualify for a criminal fine reduction if it implements certain criteria in its compensation system including, among others, a prohibition on bonuses for employees who do not satisfy compliance performance requirements, disciplinary measures for employees who violate applicable law, and incentives for employees who demonstrate full commitment to compliance processes.
Additionally, to receive cooperation credit, a company must show that it is in the process of recovering or has already recouped unearned compensation from employees who were involved in the alleged misconduct. If the company has recouped unearned compensation at the time of resolution and has cooperated during the investigation, DOJ will apply a credit to the company’s overall fine equal to the amount of compensation the company recovered from any culpable employee.
Further Progression—A “Safe Harbor” for Voluntary Self-Disclosure in Mergers and Acquisitions
The Department’s mixed use of carrots and sticks continued on October 4, 2023, when DAG Monaco announced a new “Safe Harbor” policy impacting mergers & acquisitions. See Lisa O. Monaco, Dep. Att’y Gen., New Safe Harbor Policy for Voluntary Self-Disclosures Made in Connection with Mergers and Acquisitions (Oct. 4, 2023) [hereinafter DAG Monaco, New Safe Harbor Policy]. Under the policy, the Department will presumptively decline to criminally prosecute acquiring companies that:
- promptly and voluntarily self-disclose criminal misconduct within six months of the transaction closing date;
- cooperate fully in the ensuing investigation; and
- fully remediate (including restitution and disgorgement) the disclosed misconduct within one year of the closing date.
Id. The safe harbor applies whether the acquiring company identifies the issue before or after closing. Recognizing that the timeline to qualify for a presumption of declination is short, DAG Monaco added that the “baselines are subject to a reasonableness analysis because we recognize deals differ and not every transaction is the same. So, depending on the specific facts, circumstances, and complexity of a particular transaction, those deadlines could be extended by Department prosecutors. And of course, companies that detect misconduct threatening national security or involving ongoing or imminent harm can’t wait for a deadline to self-disclose.” See id.
The Current Evolution to Corporate Compliance Evaluation
On March 7, 2024, at the American Bar Association’s 39th National Institute on White Collar Crime, DAG Monaco revealed the Department’s most recent efforts to incentivize voluntary self-disclosure. They represent significant updates to the Department’s criminal enforcement policy initiatives that have been announced over the past few years.
New Corporate Whistleblower Awards Pilot Program
The most significant new development is the announcement that the Department is instituting a whistleblower program that financially incentivizes informants to report evidence of white-collar criminal activity to the DOJ. See Lisa Monaco, Dep. Att’y Gen., Keynote Remarks at the American Bar Association’s 39th National Institute on White Collar Crime (Mar. 7, 2024). On August 1, 2024, the Department announced the details of its highly anticipated new Corporate Whistleblower Awards Pilot Program (Pilot Program). In remarks on August 1, 2024, DAG Monaco said that other whistleblower programs like those offered by the U.S. Securities and Exchange Commission, Commodity Futures Trading Commission, the Internal Revenue Service and FinCEN have been successful but “by their very nature—are limited in scope [as] . . . they don’t address the full range of corporate and financial misconduct that the Justice Department prosecutes.” Lisa Monaco, Dep. Att’y Gen., Remarks on New Corporate Whistleblower Awards Pilot Program (Aug 1, 2024). The Department’s three-year program aims to fill the gaps in the corporate compliance landscape.
In order to qualify for a whistleblower award under the Pilot Program, individuals must provide the DOJ with “original, truthful information” regarding four target areas of corporate misconduct outside the scope of other U.S. government whistleblower programs: (1) crimes involving financial institutions, from traditional banks to cryptocurrency businesses; (2) foreign corruption involving misconduct by companies; (3) domestic corruption involving misconduct by companies; or (4) health care fraud schemes involving private insurance plans. The information must also lead to a successful criminal or civil forfeiture netting more than $1 million. DAG Monaco emphasized that in order to be eligible for awards, information must be “something [DOJ] didn’t already know” and “[w]ith very few exceptions, [reporting individuals] need to be first in the door.” See DAG Monaco, Dep. Att’y Gen., Remarks on New Corporate Whistleblower Awards Pilot Program, supra.
While individuals are not eligible for awards if they would have been eligible for a reward through another U.S. government or statutory whistleblower program, the Pilot Program explicitly encourages individuals to share information with multiple government agencies. As the Pilot Program specifies, “if an individual is unsure of whether they qualify for another U.S. government program or may qualify for … [the Pilot Program], they should submit information to both programs so that the Department can assess the information.”
Rewards under the Pilot Program are at the DOJ’s discretion and will be managed by the Criminal Division’s Money Laundering and Asset Recovery Section. The Department may increase the award percentage based on its analysis of factors such as the significance of the information offered, assistance provided by the whistleblower and the whistleblower’s participation in internal compliance systems or reporting. The Department may decrease award percentages based on factors such as the whistleblower’s role or oversight of offices and personnel involved in misconduct, interference with internal compliance and reporting systems, unreasonable delay in reporting, or culpability on the part of the whistleblower. Any awards will be made only after eligible individual victims are compensated.
On August 1, 2024, Principal Deputy Assistant Attorney General Nicole M. Argentieri also noted that, as an amendment to the Department’s Corporate Enforcement and Voluntary Self-Disclosure Policy and under the Pilot Program, if a company receives an internal report from a whistleblower and reports the misconduct to the Department within 120 days and before the Department reaches out to the company, the company will be eligible for a presumption of a declination, provided that the company fully cooperates and remediates the misconduct. See Nicole M. Argentieri, Principal Dep. Assistant Att’y Gen., Remarks on New Corporate Whistleblower Awards Pilot Program (Aug 1, 2024).
DOJ’s Guidance Regarding AI
The Department also sees AI as an area of increasing enforcement and regulatory focus. In a February 14, 2024, speech at Oxford University, DAG Monaco expressed that AI “may well be the most transformational technology we’ve confronted yet,” but added that “new technologies don’t necessarily demand new structures.” See Lisa O. Monaco, Dep. Att’y Gen., Remarks at the University of Oxford on the Promise and Peril of AI (Feb. 14, 2024) [hereinafter DAG Monaco Oxford Remarks]. Likening the arrival of AI to the arrival of the internet, she stated that prosecutors “evolved with the threat, applied and adjusted existing legal tools, and added needed technology and expertise.” Id.
However, the Department has recognized the potential harm that criminal use of AI could cause and the breadth of challenges that AI presents. For example, during the ABA’s National Institute on White Collar Crime, Attorney General (AG) Merrick Garland spoke about the Department’s responsibility to protect the United States’ lead on AI technology. See generally Attorney General Garland Discusses AI, National Security, Am. Bar Ass’n (Mar. 11, 2024). AG Garland acknowledged the potential risks that AI creates for our justice system and stated that the Department is currently most concerned about algorithmic discrimination and the ways in which AI can accelerate cyberattacks on companies, the government, military organizations, and law firms. The DOJ is acutely aware of the many ways in which AI accelerates risks of fraud and extortion, as well as its use by foreign actors to increase political polarization and attack our electoral system.
To address the complex problems caused by AI, the DOJ plans to allocate more resources to its AI efforts and has started by hiring numerous computer scientists and other experts. AG Garland designated Jonathan Mayer as the Department’s first Chief Science and Technology Advisor and Chief Artificial Intelligence Officer. AG Garland also highlighted the benefits of AI, explaining that the Department’s use of AI will help it respond to threats more quickly and efficiently than the machine learning systems the Department currently uses to respond.
DAG Monaco similarly described AI as a “double-edged sword,” explaining that AI has “great promise to improve our lives—but great peril when criminals use it to supercharge their illegal activities, including corporate crime.” See DAG Monaco Keynote Remarks, supra. She noted two key policy changes relating to AI: first, that Department prosecutors may seek stiffer sentences for offenses that are made significantly more dangerous by the misuse of AI and, second, that going forward, Department prosecutors will evaluate a company’s ability to manage AI-related risks in assessing its overall compliance efforts. Id.
DAG Monaco was particularly focused on the Department’s use of increased penalties for criminals who use AI in the commission of their crimes, comparing the use of AI to the use of firearms and other dangerous weapons. She added, “To be clear: Fraud using AI is still fraud. Price fixing using AI is still price fixing. And manipulating markets using AI is still market manipulation. You get the picture.” Id. DAG Monaco cautioned that the DOJ will be seeking stiffer sentences for individual and corporate defendants when “AI is deliberately misused to make [ ] white-collar crime significantly more serious.” Id.
The Department also expressed its expectations that companies now consider AI in their basic compliance policies and procedures. DAG Monaco explained that as part of any review of a company’s compliance program during corporate resolutions, the Department has instructed prosecutors to “assess a company’s ability to manage AI-related risks as part of its overall compliance efforts.” Id. The DOJ Criminal Division will now formally incorporate assessment of disruptive technology risks—including risks associated with AI—into its guidance on Evaluation of Corporate Compliance Programs. DAG Monaco stated that these efforts are part of the DOJ’s plans to address “the rise of AI through our existing sentencing guidelines and corporate enforcement programs.” Id.
Finally, DAG Monaco discussed the DOJ’s new initiative called “Justice AI,” which will be a series of meetings with stakeholders across industry, academia, law enforcement, and civil society to address the impacts of AI on the justice system. Id. See also DAG Monaco Oxford Remarks, supra. Additionally, in April 2024, the Department also issued a statement explaining that five new cabinet-level federal agencies, including the Department of Education, Department of Health and Human Services, Department of Homeland Security, Department of Housing and Urban Development and Department of Labor and The Consumer Protection Branch of the Justice Department’s Civil Division, have joined a pledge to uphold America’s commitment to core principles of fairness, equality and justice as AI becomes a more common part of our everyday daily lives.
DOJ Pilot Program on Voluntary Self-Disclosures for Individuals
In April 2024, DOJ launched its Pilot Program on Voluntary Self-Disclosures for Individuals (VSD for Individuals Program) which is focused on incentivizing individuals to voluntarily self-disclose instances of corporate misconduct. See Criminal Division Pilot Program on Voluntary Self-Disclosures for Individuals, U.S. Dep’t of Just. Crim. Div. (updated Apr. 15, 2024). In exchange for self-disclosure, full cooperation, and payment of “any applicable victim compensation, restitution, forfeiture, or disgorgement,” prosecutors will enter into a Non-Prosecution Agreement (NPA) if an individual’s self-disclosure meets certain limiting criteria, described below. The policy is intended to “provide[] transparency regarding the circumstances in which Criminal Division prosecutors will offer mandatory NPAs to incentivize individuals (and their counsel) to provide original and actionable information.” Id.
As an initial matter, to qualify for an NPA, the disclosure must reveal original, nonpublic information relating to specific violations including money laundering, violations related to the integrity of financial markets, foreign bribery and corruption, health care fraud, fraud related to federally funded contracting, and domestic bribery. Additionally, the disclosing individual cannot be a CEO, a CFO, a government official, or an employee of any domestic law enforcement agency. The disclosure must be fully voluntary and truthful, and the disclosing individual must forfeit any financial gains received from the misconduct. Id.
DOJ’s VSD for Individuals Program follows whistleblower programs recently launched by the US Attorney’s Offices for SDNY and NDCA, from which a whistleblower may receive an NPA in exchange for original information if they meet similar criteria.
These statements follow Monaco’s October 2023 statements at the Society of Corporate Compliance and Ethics’ 22nd Annual Compliance & Ethics Institute, where the Department announced a new safe harbor for companies that voluntarily self-disclose criminal misconduct uncovered during pre-acquisition due diligence or integration of a newly acquired entity. At the ABA conference, DAG Monaco clarified that this policy does not limit the Department’s robust antitrust enforcement efforts, but rather “complements them by ensuring that misconduct doesn’t get swept under the rug.” See DAG Monaco, New Safe Harbor Policy, supra.
What Does This Mean for Companies Going Forward?
The most recent Department announcements are part of a broader effort to incentivize corporate self-disclosures. This trend—putting pressure on companies to voluntarily disclose potential corporate misconduct—continues to drive important Department policies. Given this trend, there are important takeaways for companies adjusting to Department expectations.
- The new whistleblower program seeks to incentivize individual whistleblowers to come forward through the promise of potential monetary rewards. But the program also creates the inverse incentive—the need for companies to identify and promptly disclose potential wrongdoing, rather than risk a whistleblower first disclosing the potential misconduct. The new program pressures companies to make self-disclosure determinations more quickly in their investigations, as only the first to report the “new” information (whistleblower or company) will receive credit for making such a report.
- The new Department whistleblower program will likely result in an increase in enforcement actions across a variety of white-collar contexts. The program incentivizes whistleblowers to report issues directly to DOJ, rather than to a company hotline. Moreover, companies have 120 days (or less) to review any internal tips they do receive and report them to DOJ to be eligible for a declination. The DOJ is creating a race to their door between whistleblowers and companies, with strong incentives to both to be the first to raise allegations of wrongdoing. As such, compliance programs matter, and the Department continues to strongly encourage companies to design and implement an effective and robust culture of compliance. For the Department, companies that invest in comprehensive and effective compliance programs put themselves in the best position to identify misconduct early and are less likely to face severe penalties if issues arise. To stay ahead of the likely uptick of whistleblowers, companies must use trainings, audits, and other compliance testing to ensure their corporate compliance procedures are sufficient to detect and deter misconduct. This includes ensuring that compliance programs are tailored to a company’s profile within their industry and regulatory environment.
- The Department has made clear that if a company does not voluntarily self-report misconduct, the DOJ expects to “ratchet up the sanctions” and seek harsher penalties to deter future misconduct. On the other hand, the Department will continue to reward companies that are forthcoming with misconduct. For example, in May 2024, the Department declined the prosecution of biochemical company MilliporeSigma, after two of its employees pleaded guilty to wire fraud for their roles in a scheme to fraudulently procure deeply discounted products and export them to China using falsified export documents. DAG Monaco touted MilliporeSigma’s cooperation, explaining “[w]hen a business uncovers criminal wrongdoing within its ranks, the company is far better off reporting the violation than waiting for the Justice Department to discover it [.]”
- The Department is intently focused on AI, its risks, and the potential for abuse. If AI is determined to be part of corporate misconduct, prosecutors are likely to seek heightened penalties.
- Companies should closely review and revise their corporate compliance programs to address potential AI risks. Given the Department’s promise that prosecutors will assess how effectively (or not) a company’s compliance program considers AI risks, a well-prepared company will have clear, particularized AI policies that adequately address such industry-specific AI risk, consistent with a company’s risk tolerance. Compliance teams should consider policies that address how disgruntled employees may use AI to cause problems for companies, such as AI-related market manipulation or AI-augmented fraud. If a company does implement an AI system, the company should develop and utilize appropriate testing and monitoring methods to ensure the system is working as intended.