On March 2 and 3, 2023, during speeches by Deputy Attorney General (DAG) Lisa Monaco and Assistant Attorney General (AAG) Kenneth A. Polite, Jr., at the ABA’s annual White Collar National Institute in Miami, the U.S. Department of Justice’s (DOJ) Criminal Division announced several policy updates consistent with the initiatives announced in the September 2022 Monaco Memorandum. Specifically, the DOJ released:
- A three-year “Compensation Incentives and Clawbacks Pilot Program” that will go into effect on March 15, 2023 (Clawbacks Pilot Program)
- Updated guidance on the “Evaluation of Corporate Compliance Programs” (Compliance Evaluation Guidance)
- A “Revised Memorandum on Selection of Monitors in Criminal Division Matters” (Monitor Memorandum)
The Clawbacks Pilot Program and elements of the updated Compliance Evaluation Guidance provide more details regarding DOJ expectations related to the role of incentives and clawbacks in compliance programs and as part of remediation during DOJ investigations of potential wrongdoing by companies. The Pilot Program also offers companies potential benefits in DOJ penalty calculations if companies pursue clawbacks of compensation from employees deemed responsible for conduct under investigation.
The Compliance Evaluation Guidelines also provide additional details regarding DOJ expectations of companies’ management of corporate data on employees’ personal devices and when using third-party applications, especially those with end-to-end encryption or features that automatically delete communications. The DOJ continues to emphasize that enforcement authorities consider companies’ abilities to produce such data during investigations to be a key component in DOJ assessments of whether such companies have fully cooperated.
The Monitor Memorandum updates the DOJ’s policies on Monitor selection and management to conform with policies announced by the Monaco Memorandum, such as including self-disclosure as a factor in determining whether a Monitor is necessary and confirming that “prosecutors should not apply presumptions for or against monitors.” The memorandum also clarifies that Monitor requirements “apply to monitor teams, in addition to the titular monitors” and that the minimum “cooling off period for monitors” is at least three years from the end date of any monitorship.
We will focus on what the new DOJ documents say about executive compensation and company policies on personal and third-party electronic communications – key issues on which the Monaco Memorandum had promised further guidance.
Policies and Guidance on Compensation Incentives and Clawbacks
The DOJ continues to emphasize compensation to drive compliance. In her speech, DAG Monaco noted that one of her main goals with these and earlier announced policies is “to empower companies to do the right thing, by investing in compliance, in culture and in good corporate citizenship.” She asserted, “[c]ompanies should ensure that executives and employees are personally invested in promoting compliance. And nothing grabs attention or demands personal investment like having skin in the game, through direct and tangible financial incentives.”
The Clawbacks Pilot Program and the Compliance Evaluation Guidance seek to direct or incentivize companies to link compliance to employment compensation in several ways.
Clawbacks Pilot Program: Potential Penalty Credits for Clawbacks
The Clawbacks Pilot Program’s main development is an offer by the DOJ to “provide fine reductions to companies who seek to claw back compensation from corporate wrongdoers.” As described by DAG Monaco, at the time a disposition occurs, “the resolving company will pay the applicable fine, minus a reserved credit equaling the amount of compensation the company is attempting to claw back from culpable executives and employees.” The company will then be allowed to keep any money clawed back during the time period of the resolution (for example, in a three-year deferred prosecution agreement (DPA)) – thus reducing the total fine by that amount. The Pilot Program also gives prosecutors discretion to “accord a reduction of up to 25% of the amount of compensation the company attempted [unsuccessfully] to clawback” by the end of the resolution period. Any reserved funds not clawed back or given credit would then be paid to the government.
Significantly, the potential credit for clawbacks does not include the often-substantial litigation and other costs of pursuing clawback actions against individual executives. Any resulting reduction in fines is limited to the actual compensation retrieved.
The program sets out several considerations and requirements for companies that seek to avail themselves of this potential benefit. To qualify, companies’ clawback efforts must target personnel “who engaged in wrongdoing in connection with the conduct under investigation, or… who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct.” The company must have initiated such efforts “before the time of resolution,” that is, during the investigation. And such efforts must be in “good faith,” a term that gives prosecutors significant discretion since it is not further defined in the guidance.
Beyond a general recognition that clawbacks are difficult and may take time, it remains unclear how extensively the DOJ has considered the potential challenges for companies to implement features such as clawbacks in their existing executive compensation systems (especially as to former executives), given the rules that govern such systems and the market dynamics that drive such compensation at senior levels. Often the money at issue has already been taxed, invested, or spent, and managing the tax consequences can be difficult for both the company and executives.
Thus, any decision to apply for fine reduction benefits under the Clawbacks Pilot Program will require consideration of a much broader set of factors than those articulated by the DOJ, and in some cases the costs might outweigh the potential benefits. To be in best possible position to take advantage of the program’s benefits, companies should review their executive compensation systems now (before any trouble ensues) to consider any potential changes. Recognizing that companies must continue to contend with relevant market forces, the DOJ now expects that such systems:
- Specifically tie bonuses and other incentives to established compliance metrics
- Explicitly allow for clawbacks when potential non-compliance is detected, including when internal or government investigations occur
- Grant maximum possible discretion under applicable laws to the Board and senior management to direct clawbacks and other disciplinary measures
Such a course was encouraged by DAG Monaco, who emphasized, “[w]e intend this program to encourage companies who do not already factor compliance into compensation to retool their programs and get ahead of the curve.” The updated Compliance Evaluation Guidance provides additional insights into the factors that companies should consider in updating their compensation systems.
Compliance Evaluation Guidance: Questions for Prosecutors on Incentives and Discipline
The Compliance Evaluation Guidance, last updated in June 2020, includes a retitled section on “Compensation Structures and Consequence Management” (previously “Incentives and Disciplinary Measures”). The guidance defines “consequence management” processes as “procedures to identify, investigate, discipline and remediate violations of law, regulation, or policy,” a definition that is broader than the previously used term “disciplinary procedures” and that appears to overlap with other hallmarks. However, the substantial revisions to this section continue to focus on how companies incentivize compliance and hold violators accountable.
The entire section is worth a review by compliance professionals. We summarize some of the key aspects and related considerations here.
Explicit Financial and Other Incentives Rewarding Compliance Leadership. The guidance states that prosecutors should “consider whether a company has incentivized compliance by designing compensation systems…tied to conduct consistent with company values and policies.” Among the relevant (and helpful) questions asked by the guidance are:
- “How does the company incentivize compliance and ethical behavior?”
- “What percentage of executive compensation is structured to encourage enduring ethical business objectives?”: A question tied to other statements suggesting that compliance should be a “significant metric for management bonuses.”
- “Has the company evaluated whether commercial targets are achievable if the business operates within a compliant and ethical manner?”: A question that also ties into the company’s compliance risk assessment process.
- “What role does the compliance function have in designing and awarding financial incentives at senior levels of the organization?”
In addition to financial incentives, the guidance also directs prosecutors to examine other “positive incentives, such as promotions [and] rewards…for improving and developing a compliance program or demonstrating ethical leadership” and “whether a company has made working on compliance a means of career advancement [or] offered opportunities for managers and employees to serve as a compliance ‘champion.'” Such non-financial incentives can be as important to building a compliance culture as financial benefits, and the guidance’s recognition of this fact gives companies a broader canvas to demonstrate a commitment to compliance in ways that can be less complex or fraught than compensation-based metrics.
Use of Clawbacks and Other Consequence Management Mechanisms. Consistent with the focus of the Clawbacks Pilot Program, the guidelines instruct prosecutors to ask, “[d]oes the company have policies or procedures in place to recoup compensation that would not have been achieved but for misconduct attributable directly or indirectly to the executive or employee?” Additional questions for prosecutors focus on:
- Whether “bonus and deferred compensation [is] subject to cancellation or recoupment, to the extent available under applicable law, in the event that non-compliant or unethical behavior is exposed before or after the award was issued.”
- Whether there is a “policy for recouping compensation that has been paid, where there has been misconduct.”
- Actual examples of “actions taken (e.g., promotions or awards denied, compensation recouped, or deferred compensation cancelled) as a result of compliance and ethics considerations.”
Communications of Compliance Expectations and Consequences to Employees. The guidance instructs prosecutors to look at “the extent to which the company’s communications convey to its employees that unethical conduct will not be tolerated and will bring swift consequences, regardless of the position or title of the employee who engages in the conduct.” One of several questions related to such communications is: “[w]hat policies and practices does the company have in place to put employees on notice that they will not benefit from any potential fruits of misconduct?”
There is also an increased focus on “whether a company has publicized disciplinary actions internally, where appropriate and possible, which can have valuable deterrent effects.” In new guidance language, prosecutors should consider, for example, whether a company has been transparent with employees about the terms of a separation when an executive has been exited for a compliance violation. The guidance further directs prosecutors to evaluate whether “the company taken steps to restrict disclosure or access to information about the disciplinary process” and whether there are “legal or investigation-related reasons for restricting information, or have pre-textual reasons been provided to protect the company from whistleblowing or outside scrutiny?”
While publication of disciplinary actions for compliance-related violations can create “deterrent effects” and provide assurances that employees at different levels are being treated similarly, the guidance’s various questions may underplay or unduly question legitimate reasons for companies to restrict such information. Most important, various applicable laws, especially in jurisdictions with strong data privacy protections, restrict the public dissemination of even basic information for discipline. In addition, companies often separate employees through negotiated settlements rather than “for cause” terminations both to minimize costs and litigation risks and to ensure that risky personnel exit the company as quickly as possible. Such settlements can assist companies in terminating relevant personnel in order to qualify for a finding with the DOJ that they have effectively remediated potential wrongdoing under the recently revised Corporate Enforcement Policy. An alternative approach that could achieve many of the DOJ’s goals (and that companies have used) is to release aggregate figures or include anonymized examples in trainings.
Use of Metrics to Monitor Consistency of Discipline. As has been the case with earlier versions of the guidance, there is a section on whether “disciplinary actions and incentives [have] been fairly and consistently applied across the organization.” There is new language inquiring as to the metrics used by the company “to ensure consistency of disciplinary measures across all geographies, operating units, and levels of the organization,” which continues the DOJ’s emphasis (also evident in the June 2020 version) on the use of data to track effectiveness and test programs.
Ensuring Effectiveness. More generally, the guidelines introduce a new section that asks questions regarding how the company has “ensured effective consequence management of compliance violations in practice.” Areas of inquiry include evaluations of substantiation of hotline reports across company units or countries of operation, “root cause analysis into areas where certain conduct is comparatively over or under reported,” timing and consistency of investigation processes, and “[h]ow much compensation has in fact been impacted (either positively or negatively) on account of compliance-related activities?”
Clawbacks Pilot Program: New “Attachment C” Requirements
Finally, “when entering into criminal resolutions [such as plea agreements, DPAs, or non-prosecution agreements (NPAs)], companies will be required to implement compliance-related criteria in their compensation and bonus system and to report to the [DOJ] about such implementation during the term of such resolutions.” The program states that such criteria could include:
- “A prohibition on bonuses for employees who do not satisfy compliance performance requirements”
- “Disciplinary measures for employees who violate applicable law and others who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct”
- “Incentives for employees who demonstrate full commitment to compliance processes”
The Pilot Program gives prosecutors discretion to formulate specific elements based on the relevant facts and circumstances for each company and acknowledges (without further elaboration) that there may be “applicable foreign and domestic law” considerations. The program also instructs prosecutors to “be mindful of, and afford due consideration to, how the company has structured its existing compensation program.”
The categories of compensation criteria noted above are (likely deliberately) vague, though the DOJ’s views on how companies should implement these elements can be gleaned from the Compliance Evaluation Guidance. While additional details on this aspect of the Pilot Program will likely be forthcoming in future corporate cases, the recent disposition involving Danske Bank’s anti-money laundering (AML) controls deficiencies may provide an early model. Attachment C to the Danske Bank’s plea agreement contains language requiring the bank to “implement evaluation criteria related to compliance in its executive review and bonus system so that each…executive is evaluated on what the executive has done to ensure that the executive’s business or department is in compliance with” the bank’s compliance program and applicable laws.
Guidance on Management of Company Information on Messaging Applications and Employee Personal Devices
The Compliance Evaluation Guidance addresses another significant set of issues raised by earlier DOJ policy announcements and speeches: DOJ expectations regarding company policies on employees’ use of “ephemeral messaging applications” (such as WhatsApp, Telegram, or other services) for company business and the management and retention of company information on employees’ personal devices. This guidance comes after DAG Monaco in 2022 directed the Criminal Division to “study best corporate practices” in this area and release new guidance.
Overall, the guidance states that company policies on these issues “should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company.” The guidance then sets out various questions that prosecutors should ask in three categories:
- “Communications channels”: What types of “electronic communication channels” are used by company employees and whether employees use different channels in different countries? An example is the use by Chinese personnel of the Chinese messaging service WeChat, which is not extensively used in other jurisdictions. For each channel, “what preservation or deletion settings are available to each employee” and what company policies apply?
- “Policy environment” and rationales: What company policies exist to ensure preservation of data and communications in various situations, such as ephemeral message deletion settings, replacement of company devices, and use of personal devices under, for example, bring-your-own-device (BYOD) policies? What “relevant code of conduct, privacy, security, and employment laws or policies…govern the organization’s ability to ensure security or monitor/access business-related communications” and allow for (or limit) the company’s ability to review company data on personal devices or third-party applications? And are relevant data retention policies being followed in practice?
- “Risk management”: What consequences have employees faced for not following existing policies in this area, and has employee “use of personal devices or messaging applications…impaired in any way the organization’s compliance program or its ability to conduct internal investigations or respond to requests from prosecutors or civil enforcement or regulatory agencies?”
In his March 3, 2023, speech, AAG Polite tied these issues back to cooperation under the recently revised CEP, noting that in an investigation, “if a company has not produced communications from…third-party messaging applications, our prosecutors will not accept that at face value. They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws, among other things [and a] company’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability.”
In light of the new Compliance Evaluation Guidance in this area and AAG Polite’s related remarks, companies should consider the following steps:
- Assess all electronic communications channels that employees are using outside of company record-keeping systems
- Determine which (if any) of these channels can be appropriately used for company business and make clear and train employees on any restrictions
- Update or introduce policies that create an appropriate retention period for all company data that may be contained in those channels, as well as considering and adopting methods by which “employees should [regularly] transfer messages, data, and information from private phones or messaging applications onto company record-keeping systems” consistent with applicable laws and regulations
- Establish clear and appropriate consequences for employees who do not follow these policies, and conduct training on the policies and consequences
- Develop plans for monitoring/auditing employees’ compliance with relevant policies
- Take appropriate action regarding employee non-compliance and keeping records of such actions
Source: Miller & Chevalier