Voluntary Self-Disclosure Policy to Incentivize Reporting Misconduct
The U.S. Attorneys’ Offices’ VSD policy addresses situations where a company learns of misconduct committed by its own employees or agents. The DOJ explained that the rationale for the VSD policy is to help the government “investigate and hold wrongdoers accountable more quickly.” VSD Policy, supra, at 2. To achieve this goal, this policy establishes strong incentives for companies to self-report their own misconduct to the government, with some limitations.
In order for self-disclosure to be considered a VSD, and thus render a company eligible for leniency by the prosecuting U.S. Attorney’s Office (USAO), it must satisfy the following criteria:
- There must not be a preexisting obligation to disclose (e.g., a regulation, contract, or prior DOJ resolution).
- The disclosure must be timely. A disclosure is timely if it is made:
a. Before imminent threat of disclosure or government investigation, pursuant to U.S. Sentencing Commission (U.S.S.G.) Guidelines § 8C2.5(g)(1) (“Self-Report, Cooperation, and Acceptance of Responsibility”). The guidelines are published by the U.S.S.G. to assist federal judges in determining sentences for criminal defendants.
b. Before the misconduct is publicly disclosed or the government otherwise becomes aware of the misconduct.
c. “[W]ithin a reasonably prompt time” once the company learns of the misconduct. The company has the burden of establishing that it acted promptly. Id. at 3.
- The disclosure must include “all relevant facts” regarding the misconduct that are known by the company at that time. Id. at 4. In the event that the company does not know all of the relevant facts at the time of disclosure, the company must identify that the disclosure is based on a “preliminary investigation” or “assessment of information.” Id.
- The company must “preserve, collect, and produce relevant documents and/or information” and “provide timely factual updates to the USAO.” The company must also provide updates to the USAO regarding any internal investigations that it undertakes. Id.
When a company meets all of these criteria, the prosecuting USAO will not seek a guilty plea, absent the presence of an “aggravating factor.” Id. Examples of aggravating factors include, but are not limited to, misconduct that (1) “poses a grave threat to national security, public health, or the environment”; (2) “is deeply pervasive” within the company; or (3) involve the company’s “current executive management.” Id. Moreover, the VSD policy provides that even if all VSD criteria are not met, self-disclosures to the government will nonetheless be “considered favorably,” which can result in a more lenient resolution than would be available in the absence of self-disclosure. Id. at 3.
In-house counsel must, however, be mindful of the fact that voluntary self-disclosure of misconduct does not necessarily clear the company of all penalties. Companies seeking to reap benefits from the VSD policy must agree to pay “all disgorgement, forfeiture, and restitution” resulting from its misconduct, as well as other potential forms of appropriate remediation. Id. at 5. For example, the prosecuting USAO may still impose a criminal penalty that is not “greater than 50% below the low end of the U.S. Sentencing Guidelines fine range.” Id.
Moreover, when a company voluntarily self-discloses misconduct and one or more aggravating factors warranting a guilty plea are present, the prosecuting USAO will recommend a reduction between 50 percent and 75 percent below the low end of the U.S.S.G. fine range after any applicable reduction.
Finally, the VSD policy provides that the prosecuting USAO will not require the appointment of an independent compliance monitor in situations where a company “voluntarily self-discloses the relevant conduct and timely and appropriately remediates the criminal conduct” (even where an aggravating factor is present), provided that the company “demonstrates at the time of resolution that it has implemented and tested an effective compliance program.” Id.
Pilot Program Addressing Corporate Compensation
The DOJ Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks is designed to “reward corporations that develop solutions to incentivize better compliance through their compensation systems.” Crim. Div., Dep’t of Just., The Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks 1 (Mar. 3, 2023). The program lasts from March 15, 2023, to March 14, 2026.
While the program is in place, every corporate resolution entered by the Criminal Division must require “that the resolving company implement criteria related to compliance in its compensation and bonus system.” Id. at 2. While the program does not mandate specific criteria to be used, it provides examples. These examples include
- prohibiting “bonuses for employees who do not satisfy compliance performance requirements,” id.,
- implementing discipline for employees who commit misconduct (as well as for their supervisors who either knew or were “willfully blind to” their employees’ and/or business area’s misconduct), id., and
- implementing “incentives for employees who demonstrate full commitment to compliance processes,” id.
The program also mandates fine reductions for criminal resolutions when a company “fully cooperates and timely and appropriately remediates.” Id. Per the program, prosecutors shall reduce the fine by the amount that the company was able to successfully recoup, provided that the company (1) demonstrates that it has a system to recoup compensation either from the employees who committed the wrongdoing or from the culpable employees’ supervisors who either knew or were “willfully blind to” the misconduct committed by their employees or business area and (2) has begun the process to recoup such compensation at the time of resolution. Id.
Updated Compliance Program Standards Governing Use of Personal Communication Devices
DOJ prosecutors have long considered “the adequacy and effectiveness” of a company’s compliance program when investigating a company, deciding to bring charges against a company, or negotiating a plea or other agreements. DOJ Memorandum, supra, at 1. To assist prosecutors in making informed decisions about the quality of a company’s compliance program, the DOJ created an Evaluation of Corporate Compliance Programs memorandum.
With the rise in usage of messaging applications for business-related purposes, in March 2023, the DOJ updated the memorandum to address how prosecutors are to evaluate a company’s policies and procedures governing the use of personal devices, communication platforms, and messaging applications, including messaging systems where the communications are temporary. Companies should have policies ensuring that “business-related electronic data and communications are accessible and amenable to preservation by the company.” Id. at 17.
When evaluating the adequacy and effectiveness of a company’s compliance program, prosecutors are to consider an array of questions that address the company’s usage of electronic communications, including the following:
- “What electronic communication channels do the company and its employees use, or allow to be used, to conduct business?” Id.
- “What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?” Id.
- “What preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each?” Id.
- “What policies and procedures are in place to ensure that communications and other data is [sic] preserved from devices that are replaced?” Id.
- “If the company has a ‘bring your own device’ (BYOD) program, what are its policies governing preservation of and access to corporate data and communications stored on personal devices—including data contained within messaging platforms—and what is the rationale behind those policies?” Id.
- “How have the company’s data retention and business conduct policies been applied and enforced with respect to personal devices and messaging applications?” Id.
- “If the company has a policy regarding whether employees should transfer messages, data, and information from private phones or messaging applications onto company record-keeping systems in order to preserve and retain them, is it being followed in practice, and how is it enforced?” Id. at 18.
- “What are the consequences for employees who refuse the company access to company communications?” Id.
- “How does the organization manage security and exercise control over the communication channels used to conduct the organization’s affairs?” Id.
Answers to these questions are critical to any company under investigation. As Assistant Attorney General Polite stated in his address to the ABA,
During the investigation, if a company has not produced communications from these third-party messaging applications, our prosecutors will not accept that at face value. They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws, among other things. A company’s answers—or lack of answers—may very well affect the offer it receives to resolve criminal liability.
Kenneth Polite Jr., Assistant Att’y Gen., Dep’t of Just., Address at the 38th National Institute on White Collar Crime (Mar. 2, 2023).
Six Key Takeaways
- The DOJ has created powerful incentives to voluntarily self-report misconduct. A company that timely identifies and discloses its own misconduct may be able to avoid a guilty plea and may achieve a resolution with significantly reduced fines and financial penalties.
- Companies that seek clawbacks of compensation from employees who have committed misconduct and/or their managers will potentially be subject to significantly reduced fines.
- Companies without policies and procedures that govern personal devices, communications platforms, and messaging applications subject themselves to increased scrutiny from the DOJ. In this environment, in-house counsel should work with compliance teams to evaluate existing compliance programs and update them.
- Compliance programs should include clear statements articulating consequences for employees, and their managers, who engage in misconduct. Compliance policies should address how adherence to policies impacts compensation and should address the possibility of clawback of compensation from offending employees.
- Compliance policies should be updated to address the use and preservation of communications on all messaging platforms that employees may use when conducting company business. Such policies must address preservation of information not only where employees utilize company devices but also where employees use devices that they own themselves.
- Compliance programs and policies are only effective to the extent that company employees understand them and recognize that they will be vigorously enforced. Now is an opportune time to educate employees regarding program updates and the standards imposed by the DOJ.