DOJ Revises FCPA Corporate Enforcement Policy
On March 8, 2019, the Department of Justice (“DOJ”) released a revised version of its FCPA Corporate Enforcement Policy (the “Policy”), which provides enforcement and practice guidance to DOJ prosecutors and was formally incorporated into the U.S. Attorneys’ Manual in November 2017. United States Attorneys’ Manual, FCPA Corporate Enforcement Policy Section 9-47.120 (as of Mar. 15, 2019). Assistant Attorney General Brian A. Benczkowski announced the revisions to the Policy in a speech at the American Bar Association’s National White Collar Crime Institute in which he highlighted the DOJ’s commitment to transparency and the need to ensure its “ongoing process of refinement and reassessment.” DOJ Press Release, Assistant Attorney General Brian A. Benczkowski Delivers Remarks at the 33rd Annual ABA National Institute on White Collar Crime Conference (Mar. 8, 2019). Important changes to the Policy include expansion of the Policy in the context of mergers and acquisitions, as well as softening the DOJ’s approach to software that does not retain communications.
The FCPA Corporate Enforcement Policy, originally announced by the DOJ in November 2017 and subsequently incorporated into the U.S. Attorneys’ Manual, was designed both to aid the DOJ’s ability to identify and punish criminal conduct efficiently and also to provide “guidance and increased certainty to companies struggling with the question of whether to make voluntary disclosures of wrongdoing.” See Shearman & Sterling LLP, Deputy Attorney General Rod Rosenstein Announces Revised FCPA Corporate Enforcement Policy, Need-to-Know Litigation Weekly, Dec. 5, 2017, http://www.lit-wc.shearman.com/deputy-attorney-general-rod-rosenstein-announces-. The changes to the Policy announced by the DOJ on March 8, 2019 fall into three categories:
First, the updated Policy now includes specific guidance for companies that discover FCPA violations in the course of due diligence associated with a prospective merger or acquisition or post-acquisition. The M&A-specific provision allows a “presumption of a declination” in cases “where a company undertakes a merger or acquisition, uncovers misconduct through thorough and timely due diligence or, in appropriate instances, through post-acquisition audits or compliance integration efforts, and voluntarily self-discloses the misconduct and otherwise takes action consistent with this Policy.” The issue of successor liability for past FCPA violations committed by a target company presents a significant risk for companies in M&A transactions, particularly given that M&A transactions sometimes involve limited access to a target company’s data and records. The original Policy issued in November 2017 did not specifically address this, and in keeping with the DOJ’s expressed objective of transparency and consistency, the updated Policy clarifies DOJ guidance on this issue.
Second, the updated Policy explains that while senior management involvement in potential violations is considered an aggravating factor, it is not dispositive and will not automatically preclude companies from receiving a declination. In fact, two recently announced DOJ declinations included involvement of high-level management—Cognizant and ICBL. However, because the companies voluntarily self-disclosed (in the case of Cognizant, within two weeks of discovering the misconduct), fully cooperated, and timely remediated (including removing the high-level managers involved), the companies were granted a declination by the DOJ.
Finally, a small change in the wording of the Policy softened the Policy’s approach to companies’ use of software that does not retain records. On its face, the original Policy appeared to indicate that companies would not be eligible for remediation credit if they did not “prohibit employees from using software that generates but does not appropriately retain business records or communications.” United States Attorneys’ Manual, FCPA Corporate Enforcement Policy Section 9-47.120 (Nov. 2017). Many current technologies and applications, especially internal messaging systems used by companies, may not save their content or might otherwise make the information unavailable. Because of the language of the original Policy, companies had to decide whether to ban these ubiquitous technologies entirely or risk being automatically ineligible for remediation credit. The new language merely states that companies must “implement appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications.” This change also provides clarification for companies that might have considered fairly drastic measures to comply with the letter of the former version of the Policy.
All these changes seem designed to further incentivize corporations to voluntarily self-disclose potential misconduct, and to adjust the Corporate Enforcement Policy to address concerns that were likely voiced by practitioners. This recent revision, particularly in the context of other similar policy developments—e.g., the Policy on Coordination of Corporate Resolution of Penalties and the Corporate Monitor Policy—underscores the DOJ’s espoused commitment to “be as transparent and consistent as possible about the criteria we apply in exercising our prosecutorial discretion.”