New Year, New Compliance Challenges: Good Reasons to Spruce up Your Compliance Program in 2023
At the start of 2023, we made a number of corporate criminal enforcement predictions. With 2023 launched, we are circling back to highlight initiatives that government contractors may wish to consider undertaking as compliance “resolutions.”
Changes to the DOJ’s Corporate Enforcement and Voluntary Self Disclosure Policy
As we noted in a recent alert, the U.S. Department of Justice (DOJ) kicked off 2023 by rolling out an update to its Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP). The decision to voluntarily report potential misconduct can be a tricky one—and may be more complicated for government contractors because of the Federal Acquisition Regulation’s (FAR) mandatory reporting obligations (discussed below). Yet for all corporate entities, DOJ is seeking to incentivize prompt self-reporting of misconduct. In a speech regarding DOJ’s most recent changes, Assistant Attorney General (AAG) Kenneth Polite Jr. explained that the revised CEP rewards companies with strong compliance programs that voluntarily self-report misconduct as soon as it is discovered. To further incentivize voluntary self-reporting, the revisions explain that companies can still receive a partial fine reduction even if they cannot satisfy the high bar set for a declination.
Three major changes to DOJ’s CEP warrant attention.
First, the revised CEP sets out that where “aggravating circumstances” are present, a company will still be eligible for a declination—although will not qualify for a declination presumption—if it: (1) voluntarily self-discloses “immediately upon . . . becoming aware of the allegation of misconduct”; (2) had an effective compliance program at the time of the misconduct and disclosure; and (3) provides “extraordinary cooperation” with DOJ’s investigation. Moreover, the voluntary disclosure element relates to “allegations of misconduct” and the timing is “immediate,” meaning “at the earliest possible time, even when a company has not yet completed an internal investigation, if it chooses to conduct one.”
The CEP describes a baseline definition of “voluntary disclosure” regardless of whether aggravating circumstances are present. A disclosure is “voluntary” if it is:
- Timely: The disclosure must be made to the DOJ’s Criminal Division “within a reasonably prompt time” after discovery;
- Noncompulsory: The company had no preexisting obligation to disclose the misconduct and the disclosure qualifies under Section 8C2.5(g)(1) of the Sentencing Guidelines (USSG) as occurring “prior to an imminent threat of disclosure or government investigation;” and
- Fulsome: “The company discloses all relevant, non-privileged facts known to it, including all relevant facts and evidence about all individuals involved in or responsible for the misconduct at issue, including individuals inside and outside of the company regardless of their position, status, or seniority.”
Second, where a declination is not possible, the revised CEP increases the possible fine reduction available to self-disclosing entities. Under the prior policy, a company could expect a maximum 50% reduction; now, companies may qualify for a reduction of up to 75%. For nonrecidivists, DOJ will recommend a 50%-75% reduction on a fine that falls on the low end of the USSG range. Recidivists will get the same 50%-75% reduction, but not from the low end of the range. The starting point for recidivists is left to the discretion of prosecutors.
Third, under the revised CEP, DOJ will still award limited credit where a company does not voluntarily self-disclose misconduct, but later fully cooperates and remediates. In this situation, nonrecidivists can expect prosecutors to recommend up to a 50% reduction off the low end of the USSG fine range. Recidivists, on the other hand, can earn up to 50% off, but the starting point will generally not be the low end of the fine range. Again, the policy vests substantial discretion in prosecutors to determine the starting point for any reduction.
The FAR Mandatory Disclosure Rule
Government contractors may be wondering how the revised CEP fits within the pre-existing mandatory disclosure requirements in FAR 52.203-13, 9.406-2, and 9.407-2—rules that were developed over a decade ago at the request of DOJ. See 73 Fed. Reg. 67064 (Nov. 12, 2008). Three potential inconsistencies emerge.
As a threshold issue, it is unclear whether a disclosure required by FAR 52.203-13 would be one for which the contractor had “no preexisting obligation to disclose the misconduct.” During the rulemaking for the FAR’s mandatory disclosure rule, commenting parties specifically raised a concern that mandating disclosure would eliminate the ability to obtain credit for a voluntary disclosure. See 73 Fed. Reg. at 67072-73. At that time, the FAR Council reasoned that there would still be incentives under the FAR and USSG for a “mandatory” disclosure. Id. at 67073. In assessing whether to make a voluntary disclosure to DOJ under the revised CEP, contractors will want to be prepared to articulate the policy reasons why the FAR mandatory provisions do not prevent them from obtaining full credit.
Additionally, the FAR contemplates a “timely” disclosure of “credible evidence” of misconduct, not necessarily an “immediate” disclosure of an “allegation.” During the FAR rulemaking, parties also questioned what would be a “timely” disclosure. The FAR Council explained that a “timely” disclosure, combined with the obligation to disclose “credible” evidence, would allow a contractor adequate time to investigate an allegation of misconduct, at least preliminarily, to determine if it is credible before making a disclosure. See, e.g., id. at 67074. Indeed, the FAR Council developed the “credible evidence” standard with the Criminal Division’s input. Id. at 67073. The revised CEP is unclear as to what a “reasonably prompt time after becoming aware of the misconduct” means: immediately after receipt of an allegation of misconduct, or after some investigation to assess credibility?
The revised CEP also requires “extraordinary cooperation” and “extraordinary remediation” for situations involving aggravating circumstances to obtain maximum credit. Defining “extraordinary” cooperation is subjective: AAG Polite said the DOJ “know[s] ‘extraordinary cooperation’ when we see it” and it is “not just run of the mill, or even gold-standard cooperation, but truly extraordinary.” The FAR, by contrast, requires “full cooperation” with any Government audits, investigations, or corrective action as part of a large contractor’s internal control systems; it does not specifically require that a mandatory disclosure include details of remediation (although that is certainly a best practice). As AAG Polite plainly distinguished between (ordinary) “full” cooperation and remediation and their “extraordinary” counterparts, contractors may need to flex beyond “full” cooperation and remediation to meet the CEP expectations.
Finally, DOJ and the FAR both emphasize the importance of robust corporate compliance programs. In evaluating compliance programs, DOJ has focused intensely on continued evaluation and testing of a program’s effectiveness. FAR 52.203-13(c)(2)(ii)(C)(1)-(3) also requires an internal control system to include evaluation of the effectiveness of the compliance program, periodic assessment of company risks, and enhancements to the program to address those risks. In maintaining the ability to provide real-time effectiveness metrics to DOJ, a contractor will simultaneously bolster its argument for a DOJ declination and naturally improve its FAR-required compliance and, if necessary, disclosure. Accordingly, to the extent contractors are not yet actively monitoring the effectiveness of their compliance programs and capturing that effort, now is the time to start.
Other differences between the CEP and FAR are more easily addressed. For example, a voluntary self-disclosure under the CEP requires a disclosure of all known, non-privileged facts, and identification of all individuals involved in the misconduct. But, while the FAR rule does not specify the type of information that should be disclosed, disclosure of non-privileged known facts and the names of those involved in or responsible for the misconduct is nonetheless a best practice to ensure a fulsome disclosure. And, the revised CEP requires a disclosure to the DOJ Criminal Division, while the FAR rule requires disclosure to the agency Office of Inspector General (OIG). As a practical matter, however, a contractor disclosure to an agency OIG is shared with DOJ and the agency debarring official. Thus, if a contractor intends to make a disclosure, and believes it might want to take advantage of the revised CEP, it could easily make its disclosure directly to the Criminal Division as well as the agency OIG.
Coming Down the Pike: Where Does Ephemeral Messaging Fit?
One issue where DOJ has vacillated recently is in its stated expectations of how entities police the use of business communications outside of company systems. As bring your own device (BYOD) policies have proliferated, DOJ and other regulators have grown increasingly agitated about the potential for loss of access to evidence when employees communicate via private channels—some of which may be encrypted or truly “ephemeral” in that they are set to self-delete. The Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission recently obtained a collective $1.8 billion in civil penalties from Wall Street firms for allowing their traders and others to conduct business utilizing third-party messaging apps on mobile devices. Similarly, emphasizing DOJ’s concern in this area, Deputy Attorney General (DAG) Lisa Monaco issued a memo in September 2022 which had a section devoted to the “Use of Personal Devices and Third-Party Applications.” The memo instructed prosecutors, when evaluating a company’s compliance program, to consider “whether the company has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.” As the status of a company’s compliance program is a major factor in DOJ’s decisions about charging a company and, if so, in the amount of penalties and external monitoring, there is great risk in not policing the use of unauthorized means of business communications. As discussed above, this is an area where testing and enforcing compliance with messaging policies—and having the data to back it up—will be key to obtaining a favorable result from DOJ.
Also on the Pike: More Clawback Requirements?
DAG Monaco’s September 2022 memo also stated that in addition to previous guidance to prosecutors on evaluating corporate compliance programs, such programs should be examined against another “metric”: whether they include compensation-related practices that promote compliance and punish those who engage in misconduct. This follows on the tail of November 2022 SEC rules that also require compensation clawbacks for certain reporting-related violations.
DAG Monaco’s memo advises prosecutors to examine both incentives for compliance, such as use of compliance metrics in compensation calculations and performance reviews, and “retroactive discipline,” including “clawback measures, partial escrowing of compensation, or equivalent measures.” These measures should be evaluated both as a matter of policy and practice within a company’s compliance program. Prosecutors also should consider whether non-disclosure or non-disparagement provisions are used in employment-related agreements that would prevent the reporting of misconduct. This is similar to the SEC’s repeated enforcement of its whistleblower protection against companies that try to limit reporting of violations in separation agreements, which we have addressed in prior client alerts here and here.
These measures also go beyond what the FAR expressly requires, although the FAR also does not prohibit them, either. FAR 52.203-13 provides only that an internal control system generally should include (i) “reasonable measures” to exclude individuals as “principals” who have engaged in conduct contrary to the contractor’s code of conduct and (ii) “disciplinary action” for misconduct or failing to report misconduct—but not explicit clawback requirements.
As DOJ continues with its focus on individual accountability, contractors need to consider whether their compensation and compliance programs should provide the incentives or “retroactive discipline” that DOJ expects. These measures should be considered carefully as there may be conflicting state or local laws. Some measures may also have tension with a contractor’s vision, values, and ethics messaging (i.e., is ethical conduct a compensation criterion or behavioral expectation?). And these measures, particularly the retroactive ones like clawing back pay, may be difficult to put into practice, especially regarding former employees.
DOJ is considering developing further guidance in this area, so this is another space to watch.
Putting It All Together
A healthy compliance program is one that can adjust to changes in enforcement priorities, technological advances, and emerging business risks. When DOJ announces its expectations for corporate compliance, the incentives for initiating compliance “resolutions” are even higher. Wiley assists contractors of all sizes with compliance program assessments, enhancements, and reviews to ensure that their compliance programs meet business, ethics, and enforcement expectations.