Junmo Yoon

Associate Editor

Loyola University Chicago School of Law, JD 2024

The U.S. Department of Justice (DOJ) announced significant changes to its Evaluation of Corporate Compliance Programs (ECCP) on March 2, 2023, at the American Bar Association’s National Institute on White Collar Crime. By investigating deeper into companies’ compliance programs, DOJ now provides new stricter guidelines and emphasizes its vigilance and the level of commitment expected from companies. The latest announcement illustrates DOJ’s continued emphasis on company policies regarding compliance incentives and disincentives in executive compensation and the preservation of company communications made via personal devices and instant messaging applications.

Companies should rethink risk management

Companies have regarded compliance as an additional expense and a peripheral subdivision. As a result, companies have largely refrained from enhancements and investments to its compliance programs and personnel. However, as evidenced by many recent banking failures and crypto meltdowns, overlooking risk management has resulted in fines, penalties, and vaporization of companies especially in the finance sector.

As the dollar amount collected through penalties and enforcement by regulators reaches new records and the current business environment remains uncertain with rising interest rates, current economic conditions, growing geopolitical risks, companies should reassess their compliance programs. Recent announcements and guidance signal DOJ’s focus on incentivizing corporations to form compliance policies that are effective, adequately resourced, and fully implemented.

DOJ’s new guidance

DOJ’s newest emphasis on ethics and compliance culture, along with greater specificity on “consequence management” is a welcome breath of fresh air for corporate compliance and due diligence. The three-year Pilot Program announced by DOJ has the following key components.

First, any company entering into a corporate resolution with DOJ must include compliance-promoting criteria in its compensation and bonus systems. DOJ noted this requirement had already been incorporated into recent resolutions and the criteria should be tailored to the company’s existing compensation system. The new guidelines instructs prosecutors to consider whether a company has: (1) incentivized compliance by designing compensation systems that defer or escrow certain compensation tied to conduct standards, (2) attempted to recoup compensation previously awarded to individuals who are responsible for corporate wrongdoing, or (3) made working in compliance a means of career advancement by, for example, offering opportunities in compliance-related roles or setting compliance as a significant metric for management bonuses.

In addition, compliance-related criteria may include: (1) a prohibition on bonuses for employees who do not satisfy compliance performance requirements, (2) incentives for employees who demonstrate full commitment to compliance processes, and (3) disciplinary measures for employees who violate applicable law and others who both (a) had supervisory authority over the employee(s) or business area engaged in the misconduct, and (b) knew of, or were willfully blind to, the misconduct.

Second, DOJ will offer fine reductions to companies that seek to claw back compensation (provided the company is also fully cooperating with DOJ’s investigation and took timely and appropriate steps to remediate the misconduct). At the time the resolution is entered, the resolving company will be allowed to pay the applicable fine, less the amount of compensation it is seeking to recover from those involved in the misconduct. At the close of the resolution period, the company will be permitted to keep all compensation recovered. Companies that pursue clawbacks in good faith, but are unsuccessful, will also be eligible for a fine reduction.

Third, DOJ’s new ECCP guidelines focuses on the use of personal devices and the retention of ephemeral messaging. While DOJ understands the “ubiquity” of communications and ephemeral messaging platforms, it expects companies to update their policies and procedures to adapt to the new reality. Consistent with DOJ’s core theme, the policies that govern the use of communication should be tailored to the company’s risk profile and specific business needs. In evaluating company policies, prosecutors will assess: (1) types of communication channels company personnel use, (2) policies and procedures governing the use of communication platforms and channels; and company’s risk management measures, such as the consequences for employees who refuse company access to company communications, the impact of the use of ephemeral messaging applications on employee evaluation and employee’s compliance with company policies and procedures.

DOJ’s goal

The new 2023 ECCP reflects DOJ’s view that the design and implementation can foster positive compliance culture. DOJ further seeks to reduce or shift the burden of corporate wrongdoing away from shareholders to those directly responsible for the misconduct and encourage companies to factor in compliance into their corporate atmosphere.

It is critical for companies to understand the recent policy changes and priorities of DOJ, so they can best position to deter wrongdoing, and, if wrongdoing does occur, identify it promptly, and remediate. In the short term, companies should consider: (1) reviewing and revising policies related to device usage, and data retention, (2) training employees on best practices related to device usage, (3) reviewing evaluation and compensation metrics, (4) holding remedial trainings on compliance policies and procedures, as well as the relation between compliance, evaluations, and compensation.