On March 3, 2023 the Department of Justice (“DOJ”) announced its Compensation Incentives and Clawbacks pilot program (the “Program”),1 which will become effective March 15, 2023. Consistent with Deputy Attorney General Lisa Monaco’s September 15, 2022 memorandum,2 the Program aims to shift the burden of corporate malfeasance from shareholders to individual employees and corporate leaders who are directly responsible for wrongdoing through compensation incentives to cultivate responsible corporate behavior. As set forth below, when entering into a criminal resolution, the Program will require companies to implement compliance-related criteria into their compensation and bonus structures.3 Companies also may be eligible for fine reductions if they seek to clawback compensation paid to individual wrongdoers.4 The DOJ specifies that companies should adopt policies directing the preservation of business-related communications on employees’ personal devices.5 The Program will not modify the Criminal Division’s Corporate Enforcement Policy, the Evaluation of Corporate Compliance Programs, or the Principles of Federal Prosecution of Business Organizations, and may be extended or modified at the end of the three-year pilot period.6
Compensation Incentives
Under the Program, corporations entering resolutions with the Criminal Division will be required to incorporate compliance-promoting criteria into their compensation and bonus structures. Criteria may include, but are not limited to: (1) a prohibition on bonuses for noncompliant employees; (2) disciplinary measures for both culpable employees and the executives who supervise them; and (3) incentives for employees who demonstrate commitment to the compliance processes.7
Clawbacks
Additionally, companies will receive fine reductions if they seek to claw back compensation from culpable employees or those executives who supervised or knew of and were willfully blind to the misconduct, in addition to fully cooperating with a criminal resolution and remedial measures.8 A reserved credit equal to the amount of compensation the company is attempting to claw back from the culpable employees and executives will be subtracted from the company’s otherwise applicable fine.9 At the conclusion of the resolution term, if the company successfully recoups compensation from the culpable employees, the company may keep the recouped money instead of paying the recovered amount to the Criminal Division.10 If the company’s attempt to recoup is unsuccessful, a reduction of up to 25% of the compensation that the company attempted to claw back may be granted at the discretion of Criminal Division prosecutors.11
Personal Devices
The DOJ specifically highlighted the use of personal devices by corporate employees as a practice in need of additional oversight.12 When implementing policies and procedures governing the use of personal devices, the DOJ suggests companies should consider their risk profiles and specific business needs to ensure that business-related communications are amenable to preservation and accessible to the company on the various communication platforms and messaging applications.13 Companies should be able to identify the different communication channels their employees use to conduct business, including an assessment of how and why practices may vary by jurisdiction and business function, and implement mechanisms to preserve business communications in each of these channels.14 Companies with “bring your own device” programs should establish policies governing preservation and access to corporate data and communications stored on employee personal devices.15
Practice Points
The Criminal Division does not use a formula to assess the effectiveness of a corporate compliance program. Rather, an individualized determination is made in each case considering a wide variety of factors, including company size, industry, regulatory landscape, and geographic footprint. Given that appropriate compliance measures vary by industry, companies should proactively ensure their policies and procedures align with their industry requirements.16 The DOJ generally recommends to prosecutors that, when evaluating the effectiveness of a corporate compliance program, they should consider whether the compliance program is (1) well designed, (2) applied in good faith, and (3) effective in practice.
Design. The DOJ recommends considering whether the compliance program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”17 The company should consult relevant business units about design prior to the compliance program’s roll out.18 Resources should be appropriately tailored to high-risk areas, periodically reviewed, and updated with lessons learned from prior compliance issues, both within the company and from other companies in similar industries.19 Companies should have a code of conduct accessible to all employees that sets forth the company’s commitment to compliance in a searchable format for easy reference.20 The company should consider any linguistic or other barriers that may restrict employee access to the compliance program and ensure the program has been integrated in a manner that is tailored to employee volume, sophistication, and subject matter expertise.21 Additionally, periodic compliance training should be provided to all employees, officers, directors, and relevant third parties.22
Application. The DOJ recommends for prosecutors to assess whether a company’s compliance program is properly implemented, resourced, reviewed, revised, and “whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.”23 Companies should therefore ensure their leaders set the tone at the top by clearly articulating and modeling compliance for the rest of the organization.24 One hallmark of effective implementation of a compliance program is establishing incentives for compliance.25 Companies should also employ risk management protocols, including policies that impose consequences on employees who refuse to provide access to business communications on their personal devices or refuse to cooperate with internal investigations.26 For example, a company may consider publicizing disciplinary actions internally to create a deterrent effect.27 Companies also may adopt policies for recouping costs or reducing compensation as a consequence for employee noncompliance.28
Effect. The DOJ recognizes that “no compliance program can prevent all criminal activity by a corporation’s employees.”29 Nonetheless, companies should ensure that their program effectively identifies misconduct and allows for timely and thorough remediation, as well as self-reporting. Prosecutors are advised to consider whether a company’s program has evolved over time to address changing compliance risks, both in response to issues in the company and to issues in similarly situated companies, and whether the company undertook an analysis to understand both what contributed to the misconduct and the degree of remediation necessary to prevent future violations.30 Companies should ensure there is an effective mechanism for timely and thorough investigation of any alleged misconduct.31 Investigations should be properly scoped, independent, objective, and enforce the ethical values of the company.32 Finally, companies should ensure that their approach in managing communication channels is reasonable in the context of their business needs and risk profile.33
1 U.S. Dep’t of Justice, Mem. on The Criminal Division’s Pilot Program Regarding Compensation Incentives and Clawbacks (March 3, 2023), https://www.justice.gov/opa/speech/file/1571906/download [hereinafter Program Memo].
2 In September 2022, Deputy AG Monaco announced that whether a corporation has policies and controls in place to effectively monitor the use of personal devices and third-party applications will factor into a corporation’s eligibility for cooperation credit. She urged companies to implement policies governing business communications via personal devices and third-party messaging platforms, provide training on those policies, and enforce policies when violations are identified. See U.S. Dep’t of Justice, Mem. on Further Revisions to Corp. Criminal Enforcement Policies Following Discussions with Corp. Crime Advisory Group (Sept. 15, 2022), https://www.justice.gov/opa/speech/file/1535301/download; Andrew Ackerman, Big Regional Banks Might Face New Rules for Dealing With a Crisis, The Wall Street Journal, Sept. 18, 2022, https://www.wsj.com/articles/big-regional-banks-might-face-new-rules-for-dealing-with-a-crisis-11663495202; Ben Penn, WhatsApp, Signal Chats Targeted in DOJ Crackdown on Executives, Bloomberg Law, Sept. 27, 2022, https://news.bloomberglaw.com/us-law-week/doj-targets-whatsapp-signal-chats-to-prosecute-more-executives.
3 Program Memo, supra n. 1.
4 Id.
5 U.S. Dep’t of Justice, Evaluation of Corp. Compliance Programs, 17-18 (Mar. 2023), https://www.justice.gov/criminal-fraud/page/file/937501/download.
6 Program Memo, supra n. 1.
7 Id. at 2.
8 Id. at 2-3.
9 Id.
10 Id.
11 Id.
12 Evaluation, supra n. 5.
13 Id.
14 Id.
15 Id.
16 Id. at 1.
17 U.S. Dep’t of Justice Manual § JM 9-28.800 (Mar. 2023).
18 U.S. Dep’t of Justice, Evaluation of Corp. Compliance Programs, 4 (Mar. 2023), https://www.justice.gov/criminal-fraud/page/file/937501/download.
19 Id. at 3.
20 Id.
21 Id. at 4.
22 Id.
23 U.S. Dep’t of Justice Manual, supra n. 14.
24 Evaluation, supra n. 18, at 9.
25 Id. at 12.
26 Id. at 18.
27 Id. at 12.
28 Id.
29 U.S. Dep’t of Justice Manual § JM 9-28.800 (Mar. 2023).
30 U.S. Dep’t of Justice, Evaluation of Corp. Compliance Programs, 3 (Mar. 2023), https://www.justice.gov/criminal-fraud/page/file/937501/download.
31 Id. at 6.
32 Id. at 16.
33 Id. at 18.