Year in Review: Top Anti-Corruption Enforcement and Compliance Trends and Developments

Winter 2024, Covington Alert

What You Need to Know:

Last year, the SEC and DOJ roughly kept pace with their 2022 FCPA enforcement statistics, depending on the metric. Collectively, both agencies entered into a few more resolutions in 2023 than in 2022. While 2023’s total monetary sanctions were only 60% of those imposed the year prior, the two years’ numbers are not so far apart when setting aside 2022’s Glencore guilty plea, which netted nearly $444 million for DOJ. But these numbers still fall far short of the government’s enforcement record in the late 2010s.
Perhaps it is no surprise, then, that DOJ has spent the past few years taking steps to replenish the pipeline, both by enhancing its ability to detect misconduct proactively through increased resources and new technologies like artificial intelligence (“AI”) and data analytics—and by rolling out major policy incentives designed to encourage self-reporting. Given the long life cycle of a government investigation, it may take years before we can tell whether these steps, combined with return to normalcy for companies and the government post-COVID, bring enforcement levels back up to their average levels over the past 10 years.
The government’s expectations for corporate cooperation remain high and are growing—and they can have tangible effects on financial outcomes come resolution time. Last year, DOJ repeatedly has underscored the importance of proactive, rather than reactive, cooperation, meaning that companies should be prepared to follow best investigative practices, do them without being asked, and demonstrate how their efforts yield information that the Department cannot obtain on its own.
Last year, DOJ also highlighted its expectations when it comes to compensation, ephemeral messaging and personal device use, and the use of measurable analytics to track and enhance the efficacy of corporate compliance programs. Again, proactivity here is key: the Department expects to see data-driven investments in compliance and controls well before a company begins engaging with the government.

Last Year, the Department Dangled Even More Carrots for Corporate Self-Reporters while Preserving an Arsenal of Sticks for Insufficient Cooperation or Remediation

DOJ Beckons Self-Reporters with Continued Voluntary Disclosure Incentives

DOJ continued making policy news throughout the year, releasing several significant new corporate enforcement policies that reinforce the Department’s continued push to incentivize companies to come forward when they identify potential misconduct. First was the Criminal Division’s Corporate Enforcement and Voluntary Self-Disclosure Policy (“CEP”), which we covered in a previous alert. (Several other DOJ components announced similar policy updates in February and March 2023, which we also covered in an alert.) The updated Criminal Division policy, which continues to expand the availability of declination with disgorgement to corporate self-reporters, is the culmination of a series of initiatives and informal practice dating back to 2016’s FCPA Pilot Program, which we have covered in previous alerts here, here, here, here, here, and here. Then came October’s Mergers and Acquisitions Safe Harbor Policy (“Safe Harbor Policy”), which expanded voluntary-disclosure incentives to the mergers-and-acquisition context and which we covered in this alert.

Last year, we asked whether these new policies would be enough to move the needle on voluntary self-disclosure, noting the extraordinarily difficult choice that companies face when deciding whether to report potential misconduct. Given the long life cycle of a DOJ investigation, it is not yet clear a year later whether these policy revisions will usher in a wave of self-reporters. Early signs are not particularly telling. The Department announced two FCPA declinations with disgorgement in 2023, keeping steady with the year before—but both corporate defendants reported their misconduct years before the 2023 CEP revisions took effect. While investigations reported in public SEC filings are not a perfect metric for voluntary self-disclosure, seven companies appeared to disclose new FCPA-related government investigations in 2023—slightly higher than the five the previous year, but again, substantially lower than the ten-year average.

The new voluntary disclosure policies do not meaningfully change the corporate compliance playbook. Companies should equip their legal and compliance teams with tools to detect and promptly investigate potential misconduct, so that they can be positioned to reap the benefits voluntary self-disclosure if they so choose. Companies should also ensure that their pre- and post-closing diligence and integration processes are designed to identify legacy or ongoing misconduct at acquired companies, so that they can remediate and decide whether to report by the deadlines set in the Safe Harbor Policy. It is clear that companies do not have unlimited time to decide whether to voluntarily self-disclose: in one resolution last year, for example, a corporate defendant voluntarily disclosed its conduct but did so approximately 16 months after discovering the conduct—“belatedly,” in the Department’s view. Because its reporting was not “reasonably prompt,” the company missed out on receiving the 50-to-75% penalty reduction afforded to self-reporters that do not qualify for a declination with disgorgement under the new CEP—a difference potentially in the tens of millions—in spite of the praise it otherwise received in the enforcement papers for its cooperation.

Taking Cooperation Seriously: DOJ Signals its Expectations in Corporate Enforcement Actions

As noted above, over the past few years DOJ has aimed to nudge corporate defendants toward voluntary self-disclosure and cooperation with a delicate balance of benefits for self-reporters and cooperators, on the one hand, and demerits in cooperation credit for companies that fail to cooperate effectively or fully. (For more on this, see our previous alert.) But the meaning of certain terms in Department policy—“extraordinary” cooperation, “appropriate” remediation, etc.—can be hard to define in practice. Practitioners must read the tea leaves from the past year’s resolutions to glean practical insights.

One buzzword that popped up throughout the year was “reactive,” as opposed to “proactive,” cooperation—in other words, DOJ expects cooperators to anticipate best practices and to undertake them without being asked to do so. DOJ dinged two companies last year for what it viewed as insufficiently proactive cooperation, resulting in reduced penalty discounts. One company was criticized for being “more reactive than proactive” in a speech by Acting AAG Nicole Argentieri, while another’s deferred prosecution agreement (“DPA”) described its cooperation as “limited in degree and impact, and largely reactive.” The latter company’s DPA, in particular, noted relatively few examples of cooperation—responding to requests, producing and summarizing documents, analyzing financial information, and making employees available for interviews—making clear that DOJ views these types of steps as less than table stakes for corporate cooperation. Another company, by contrast, received praise—and a significant discount off of its penalty—for acting “with urgency” and cooperating “extensively,” as Acting AAG Argentieri put it. Reading between the lines of DOJ’s public statements about the resolution, the Department appeared to place a high premium on both speed and the provision of information that it could not have gotten on its own, including rapid disclosure of information that “allowed the government to preserve and obtain evidence,” “proactively” identifying information “previously unknown” to DOJ, furnishing witnesses located outside the U.S., and producing documents located abroad “in ways that did not implicate foreign data privacy laws.”

DOJ also took a strong stance in 2023 on compliance with the terms of corporate criminal resolutions—a stated priority at least since 2021’s Monaco memo and highlighted in a September speech by Principal Associate Deputy Attorney General Marshall Miller—by declaring Swedish telecommunications company Ericsson in breach of its 2019 DPA. More than a year after Ericsson’s DPA became final, the company reportedly disclosed that it had failed to produce documents and information that were relevant to the original investigation—as well as findings regarding unrelated FCPA conduct—all of which the company reportedly was aware of before it entered into the DPA. As a result, DOJ revoked the DPA, which required prompt reporting of “any evidence or allegation of conduct that may constitute a violation of the FCPA.” Ericsson pled guilty to the underlying FCPA charges and paid an additional $206-million fine—in part reflecting an amount that Ericsson had to pay back from its cooperation discount under the 2019 DPA.

DOJ Continues to Set High Expectations for Corporate Compliance Programs

Throughout 2023, DOJ made good on the promises made in the 2022 Monaco memo to scrutinize more closely whether companies’ compliance programs are “effective.” In March 2023, DOJ released an updated Evaluation of Corporate Compliance Programs policy, which emphasized the Department’s focus on companies’ financial incentives and disincentives related to compliance, personal device and ephemeral messaging policies, and other compliance elements. The same month, the Criminal Division also launched a three-year Pilot Program on Compensation Incentives and Clawbacks (“Pilot Program”), which offers a discount against a company’s fine equal to the compensation withheld or clawed back from culpable employees, among other benefits. In September, DOJ applied the program for the first time, reducing one corporate defendant’s penalty by $763,453 for bonuses that it withheld from qualifying employees; in January 2024, another company received a $109,141 reduction for withholding compensation from qualifying employees, which it “defended in substantial litigation,” according to DOJ.

Companies can take a few lessons from these policy revisions. First, companies should take stock of their current policies and practices on personal device usage, communications on third party messaging applications, and compensation and consider whether enhancements are warranted. (For more on compliance-promoting compensation policies, see our analysis here.) Second, DOJ remains focused on ongoing compliance monitoring as a sign that companies are focused on detecting misconduct and assessing the strength of their own controls. When engaging with corporate defendants, prosecutors will likely ask what a company has done to analyze and track its data both at the time of misconduct and at the time of potential resolution. And increasingly, in order to meet DOJ's expectations, companies must consider how they can not only enhance their compliance programs, but do so in ways that make use of data, metrics and benchmarks. Pointing to concrete examples of a compliance program's teeth—like the denial of a promotion or bonus for compliance-related reasons—will likely be an expectation going forward. Data analysis and even emerging technologies like AI can also help companies assess the effectiveness of controls, such as by measuring employee uptake on using company-owned communications platforms. While translating something as amorphous as a compliance culture into a suite of metrics is not always easy, the Department is increasingly focused on ways to bring measurability, accountability, and demonstrated efficacy to corporate compliance—and companies must keep up.

New Demand-Side Bribery Law Made a Splash but Is Unlikely to Affect Companies’ Anti-Corruption Exposure

Signed into law just before the end of the year, the Foreign Extortion Prevention Act (“FEPA”) aims to fill the “demand side” gap under the FCPA by creating a U.S. federal criminal offense specifically targeting enforcement against foreign officials who solicit, agree to receive, or accept bribes. There are various jurisdictional and definitional incongruities between the FEPA and the FCPA, and corporate actors already subject to the FCPA may worry that FEPA creates new areas of criminal exposure for them. But at the end of the day, FEPA explicitly provides that its prohibitions do not “encompass[] conduct that would violate” the FCPA—in other words, by the statute’s own terms, conduct that violates the FCPA cannot form the basis of a FEPA violation. Companies that already have strong anti-corruption compliance programs should be well positioned to address the risks targeted by FEPA.

But that does not mean that FEPA will not affect how companies investigate their own misconduct overseas—and, when the time comes, engage with the Department. For one, prosecuting bribe-takers abroad comes with inherent difficulties for the government—obtaining foreign evidence, jurisdictional challenges, and international comity, just to name a few. For that reason, we expect that a large portion of DOJ’s FEPA-related fact-finding would happen through companies under investigation for potential FCPA violations. Much like existing DOJ policy asks cooperating corporations to identify individual employees who are responsible for misconduct, the Department may press them to provide detailed information on the foreign officials who received improper payments as an element of receiving cooperation credit. This raises a host of questions, such as whether companies will be expected to cooperate in other DOJ investigations in which their own conduct is not subject to prosecution, or even where they are the victim of another’s misconduct, and what sort of mitigation credit they might expect to receive on that basis.

As noted above, companies with effective anti-corruption compliance programs already have the tools to address the risks targeted by FEPA. If anything, the new law provides yet another reason for companies to maintain effective internal reporting frameworks to detect, monitor, and track bribery risks. Like all increased attention on the corruption landscape, this is further incentive for companies to invest in compliance, either to take advantage of potential benefits or to prevent misconduct.

New Technologies Continue to Augment the Enforcement Landscape

New Technologies like AI Are Becoming New Tools for Prosecutors—But the Old Ones Are Doing Just Fine

AI dominated news cycles over the past year, drawing interest from the private and public sector alike. While DOJ had already issued a strategy focused on “Department-wide AI adoption” as early as 2020, last October President Biden issued an executive order directing the Department to develop recommendations on the implementation of AI tools in law enforcement. In response, Deputy Attorney General Lisa Monaco delivered a speech announcing two major AI-related initiatives at DOJ: one recommending longer sentences for AI-related offenses, and the other directing an internal evaluation on the safe and ethical deployment of the technology in Department investigations. DAG Monaco called AI “an indispensable tool” in DOJ’s arsenal—possibly “the sharpest blade yet”—and hinted at ways the Department has already leveraged the technology, including by tracing opioids and other drugs, triaging whistleblower tips, and synthesizing evidence in its January 6 prosecutions. In the anti-corruption context, AI could supercharge DOJ’s ongoing investments in advanced data analytics, potentially allowing the Department to detect financial misconduct on its own rather than relying on whistleblowers and self-reporters. As one example, in the prosecution of Arturo Murillo, a former Bolivian official, DOJ developed the case proactively by using data analysis to scrutinize financial records and information already available to it. Acting AAG Argentieri promised that DOJ has “only just gotten started” using data analytics to generate FCPA cases and will “bring to bear even more data, along with tools that can interpret and synthesize that information.” AI seems poised to be just the type of tool to “interpret and synthesize” the vast quantities of data at DOJ’s disposal, and with Departmental interest and investment in the technology, the next few years could see real advances in the government’s capabilities in this area.

Paired with old tools like whistleblowers tips—which reached record highs at the SEC last year—the government is better positioned than ever to identify misconduct on its own. This new reality further complicates what is already a difficult decision by companies as to whether and when to disclose misconduct.

DOJ Dips Its Toe into FCPA Enforcement in the Cryptocurrency Industry

DOJ has been no stranger to enforcement against the cryptocurrency industry, but its prosecutions have typically relied on charges like money laundering, securities fraud, and wire fraud. It was notable, then, when prosecutors brought the first-ever FCPA case in the cryptocurrency space last year. In March 2023, a grand jury in the Southern District of New York (“SDNY”) returned a superseding indictment charging FTX Trading Ltd. founder Sam Bankman-Fried with conspiracy to violate the FCPA, adding to the litany of fraud, money laundering, and campaign finance violation charges prosecutors had brought late in 2022. As alleged, in 2021, Bankman-Fried “authorized and directed” a bribe of cryptocurrency worth at least $40 million to one or more Chinese government officials, allegedly in order to unfreeze certain Alameda Research accounts that had been frozen by Chinese law enforcement. Bankman-Fried has since been convicted of the fraud and money laundering counts charged in the original indictment, and on December 29, 2023, DOJ informed the district court in a letter that it does not plan to pursue a trial on the FCPA charges, although it maintained that it had “proved” the offense through evidence offered at the first trial.

Does Bankman-Fried’s case signal DOJ’s desire to begin leveraging the FCPA in crypto-related enforcement, or was this merely a blip? Practitioners noted several things about the charges—including, perhaps obviously, that DOJ views digital currencies as a “thing of value” within the scope of the statute, and that they have effective means of building cases even in the context of what is meant to be a more diffuse, less traceable system of economic exchange. Ultimately, we suspect that regulators will continue to focus on the many other tools they have at their disposal to detect criminal misconduct in crypto. But with its international scope and foreign regulatory touchpoints, this relatively young industry could be fertile ground for bribery—and corresponding DOJ attention.

The following Covington lawyers assisted in preparing this client update: Steven Fagell, Nancy Kestenbaum, Don Ridings, Jennifer Saperstein, Ben Haley, Adam Studner, Josh Roselman, Brendan Woods, Elizabeth Hall, Kevin Coleman, and Funmi Anifowoshe-Manning.