New U.S. DOJ guidance on executive compensation, personal devices and ephemeral messaging

In early March 2023, the Department of Justice (DOJ) issued significant new policies and guidance with regard to corporate compliance.  This continues the surge of compliance policy and guidance pronouncements from DOJ since 2021, issued by both Deputy Attorney General (DAG) Lisa Monaco and Assistant Attorney General for the Criminal Division Kenneth Polite.  The March 2023 announcements chiefly concern two areas the DAG addressed in September 2022: executive compensation and the use of personal devices and ephemeral messaging.  Both are summarized below along with some brief analysis as to how these policies might be addressed. 

Executive compensation

As articulated by the DAG in September 2022, the Department is of the view that “[c]ompensation systems that clearly and effectively impose financial penalties for misconduct can incentivize compliance conduct, deter risky behavior, and instill a corporate culture in which employees follow the law and avoid legal ‘gray areas.’”  With this in mind, the Department has implemented a three-year Pilot Program on Compensation Incentives and Clawbacks (Pilot Program) as well as changes to the Criminal Division’s Evaluation of Corporate Compliance Programs (ECCP).

Pilot Program

The Pilot Program impacts just those companies anticipating a resolution with the Criminal Division.  It provides that every corporate resolution agreed by the Criminal Division will include requirements that the company implement compliance-based criteria within its compensation and bonus system.

“These criteria may include, but are not limited to: (1) a prohibition on bonuses for employees who do not satisfy compliance performance requirements; (2) disciplinary measures for employees who violate applicable law and others who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct and (b) knew of, or were willfully blind to, the misconduct; and (3) incentives for employees who demonstrate full commitment to compliance processes.” 

The Pilot Program also provides for fine discounts for companies that make efforts to recoup compensation from culpable executives by the time of resolution with the Department.  Even if these efforts are ultimately unsuccessful, the company may reap some benefit from making the effort.

It is worth noting that the use of a Pilot Program has some precedent as what is, as of January 2023, the Criminal Division Corporate Enforcement and Voluntary Disclosure Policy, began life back in 2016 as a pilot program with regard to FCPA offenses.  Thus, it may well be that the new Pilot Program is, over time, made permanent and even expanded.

Evaluation of Corporate Compliance Programs

The Criminal Division’s ECCP has been, since 2019, a rather sophisticated set of criteria that Criminal Division attorneys are required to use to assess the compliance program of a company in the context of an investigation and possible enforcement action. A company that meets these criteria may be able to avoid an enforcement action altogether or mitigate the severity of an action and/or fine.

Companies are wise to use the ECCP as a guidepost for determining whether they have effective compliance programs, regardless of whether they are currently before the Department.  For one, the ECCP is a robust, mature document that – for the most part – fairly sets forth the elements of an effective compliance program. Second, because a company never knows when it will be within the crosshairs of the DOJ on a given issue, maintaining a program that would be deemed effective by the DOJ is prudent and will have tremendous benefits in the event of an investigation.

In March 2023, the Criminal Division revised the ECCP to emphasize the importance of financial incentives and disincentives:

• Disciplinary Measures: This new criterion focuses on whether company policies permit clawing back executive compensation in cases of misconduct or supervisory responsibility for misconduct.  Companies will be assessed on the policies they have in place, how well employees are made aware of those policies, and how those policies are, in fact, put into effect when a situation arises.

• Financial Incentive System: The set of criteria that was formerly titled “Incentive System” has been retitled “Financial Incentive System” to add obvious emphasis to policies around compensation. Prosecutors will now consider, inter alia, whether a company has considered the impact of its financial rewards and other incentives on compliance; whether the compliance function has a role in designing and awarding senior level financial incentives; whether bonuses and deferred compensation are subject to cancellation or recoupment and whether the company has a policy in this regard; and whether the company can point to specific instances of using these sorts of policies and practices.

While the idea of having financial incentives and disincentives with regard to compliance intuitively makes good sense, implementing such measures will not be easy and may not be practical.  Legal systems around the world will deal differently with the idea of recouping previously promised, earned or even awarded compensation. The burden of proof in such situations will undoubtedly fall upon the company and the burden may well be too high to meet in many, if not most, instances as corporate misconduct is often more gray than black and white.  Nevertheless, companies should consider the ECCP guidance and make informed judgments about whether or not to adopt relevant policies and procedures and under what circumstances.

Personal devices and ephemeral messaging

In September 2022, the DAG articulated the Department’s view that “[t]he ubiquity of personal smartphones, tablets, laptops and other devices  poses significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation.  The rise in use of third-party messaging platforms, including the use of ephemeral and encrypted messaging applications, poses a similar challenge.” 

As a result, in March 2023, Criminal Division Assistant Attorney General Polite announced additional significant changes to the ECCP on the use of personal devices and messaging applications. Essentially, the Department expects companies to consider how best to regulate the use of personal devices and messaging apps and preserve relevant content.  More specifically, the EECP now directs Criminal Division attorneys to consider the following criteria when evaluating a company’s compliance program:

• Which communication channels are permitted for business communications, and what structures are in place to ensure access and preservation of those channels?
• What preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each?
• What is the company’s rationale for its policies, including if they vary by jurisdiction or with differing applicable laws?
• What is the company’s “Bring Your Own Device” policy, and what is the rationale behind the policy?
• How are the company’s policies enforced and what exceptions or limitations exist?
• What are the consequences for employees who refuse, and does the company regularly exercise its rights under the policies?

The use by companies of personal devices and messaging apps are waters into which the Criminal Division first waded in 2017 and regarding which DOJ then seemed to quickly head back to the safety of the shore without issuing concrete guidance as to what companies should actually do.  This is a thorny problem with no easy answer.  As per the DAG’s September 2022 memo, DOJ frames the issue as a compliance issue and while that has the ring of truth with regard to internal investigations, one gets the feeling that DOJ is really trying to address an evidentiary issue for itself and its investigations.  While the invention of email was surely the greatest gift the heavens ever bestowed upon white collar crime prosecutors, the rise of messaging apps threatens to cause massive proof problems for DOJ. It is this problem that the Department seems most intent on solving.  In any event, DOJ has now put companies in the position of having to address this issue and making thoughtful, well-reasoned judgements about policies and procedures.

Managing the risk of unsanctioned communication channels for business purposes was one of ten key challenges that we identified for In-House Counsel and Heads of Risk for 2023 in the Allen & Overy Cross-Border White Collar Crime and Investigations Review.