Following remarks made on March 2 and March 3, 2023 at the American Bar Association’s 38th Annual National Institute on White Collar Crime, the U.S. Department of Justice (“DOJ”) issued revisions to its Evaluation of Corporate Compliance Programs (“ECCP”). The newly revised ECCP guidance contains two important changes: (1) the DOJ has directed prosecutors to “consider more closely compensation structures and consequence management when evaluating compliance programs”, and (2) the DOJ will consider corporate practices surrounding the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications, and the company’s ability to access and produce underlying data.
Compensation Incentives and Clawbacks
In its continued efforts to drive compliance-promoting behavior, the DOJ has focused its attention on corporate compensation structures as a way “to shift the burden of corporate malfeasance away from uninvolved shareholders” to those more directly involved in misconduct. In assessing these structures, the DOJ will look for compensation systems that use affirmative metrics and benchmarks to reward compliance-promoting behavior (e.g., promotions, rewards, bonuses), while imposing financial penalties for misconduct to serve as a deterrent that fosters a culture of compliance (e.g., compensation clawbacks or prohibition of bonuses for employees who do not satisfy compliance requirements). In furtherance of this goal, the DOJ also announced its Pilot Program on Compensation Incentives and Clawbacks (the “Pilot Program”).
The Pilot Program is a three-year initiative, effective as of March 15, 2023, that is applicable to all corporate matters in the Criminal Division. There are two main parts to the Pilot Program: (i) compliance enhancements and (ii) deferred fine reduction.
Compliance Enhancements and Compensation Criteria
First, going forward, every corporate resolution entered into by the Criminal Division must include a requirement that the company implement compliance criteria into its compensation and bonus system. The company would also be required to submit an annual report during the term of the resolution to the Criminal Division about its implementation of such criteria. The new policy recommends that such criteria include the following:
- Prohibition on bonuses for employees who do not satisfy compliance performance requirements.
- Disciplinary measures for employees who violate applicable law and others who:
- had supervisory authority over the employee(s) or business area engaged in the misconduct; and
- knew of, or were willfully blind to, the misconduct.
- Incentives for employees who demonstrate full commitment to compliance processes.
The above is not an exhaustive list and Criminal Division prosecutors will have discretion in fashioning appropriate requirements based on the facts and circumstances of each case, including, but not limited to, applicable foreign and domestic law. In making such determinations, prosecutors will also consider how the company has structured its existing compensation program.
Deferred Fine Reduction
Second, with respect to the conduct under investigation, the Criminal Division will offer fine reductions to companies that, in good faith, initiated the process to clawback compensation before the time of resolution from (a) employees that have engaged in related misconduct and/or (b) others who (i) had supervisory authority over the employee(s) or business area engaged in the misconduct and (ii) knew of, or were willfully blind to, the misconduct. Specifically, Criminal Division prosecutors will reduce any fine by an amount equal to 100% of any such compensation that is recouped during the period of the resolution. If a company’s good faith attempt to clawback any such compensation is unsuccessful, prosecutors may, in their discretion, reduce a criminal fine by up to 25% of the amount of compensation that the company sought to claw back.
The DOJ will reevaluate the Pilot Program after three years to determine whether it will be extended or modified in any respect.
Use of Personal Devices and Messaging Applications
With the growing concern over the use of personal devices, communication platforms, and third-party ephemeral messaging applications (e.g. WhatsApp, Signal, Telegram), the DOJ’s revisions to the ECCP specifically address companies’ approaches to the use of personal devices and messaging applications. Criminal Division prosecutors will now evaluate a company’s policies and procedures on use of personal devices and messaging platforms in making charging and resolution decisions. The revised ECCP notes that such policies should be tailored to the company’s risk profile and specific business needs and ensure that “as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company.”
Simply having the policies in place is not enough – prosecutors will also be required to evaluate how these policies and procedures are communicated to employees and whether they are enforced on a regular and consistent basis. Prosecutors will consider the following factors in making this evaluation:
- Communication Channels – assessing, for example, what electronic communication channels the company’s employees actually use, whether officially sanctioned or not, what mechanisms are in place to manage and preserve information contained within each of the electronic communication channels, rationale for determining which communication channels and settings are permitted, etc.
- Policy Environment – assessing the policies and procedures that are in place to ensure that communications and other data are properly preserved and accessible by the company (for example, for companies that have a “bring your own device” or “BYOD” program, assessing its policies governing preservation of and access to corporate data and communications stored on personal devices—including data contained within messaging platforms—and the rationale behind those policies)
- Risk Management – assessing how a company has enforced and measured the effectiveness of its communication-related policies and procedures (for example, considering what the consequences are for violation of the policies and whether the company has ever exercised such punishment, whether compliance or investigations have been impaired because of the use of personal devices or messaging applications, etc.)
To highlight the importance and its concern over the use of personal devices, communication platforms and ephemeral messaging applications, the DOJ notes that during an investigation, if a company has not produced communications from third-party messaging applications, Criminal Division prosecutors “will not accept that at face value.” Prosecutors will push back and ask about the company’s ability to access such communications, if they are stored on company devices or servers, and applicable privacy and local laws, among other things. In other words, companies may not be able to avoid preservation and disclosure obligations simply because employees are using their own devices to conduct business or are utilizing third-party messaging platforms that do not preserve data.
In light of the changes to the ECCP and the DOJ’s messaging of the importance of effective compliance programs and enforcement and communication of such programs, companies should consider revisiting and potentially updating their compliance policies on compensation and business-related communications. In particular, they should examine (i) compensation models, policies and employment agreements with an eye towards fostering a culture of compliance, including through both the use of financial rewards and penalties and (ii) policies concerning the use of personal devices or messaging applications, including appropriate use, monitoring, document retention and preservation policies.