On December 16, 2022, U.S. Attorney General Merrick Garland issued a memorandum (the Garland memo) to all federal prosecutors, reflecting a significant new policy regarding charging, pleas, and sentencing in federal criminal cases. The Garland memo replaces prior U.S. Department of Justice (DOJ) policy and applies to all federal criminal prosecutions initiated on or after January 17, 2023.

Under the new DOJ policy, federal prosecutors making charging decisions must consider whether the consequences of those charges for sentencing would yield a result that “is proportional to the seriousness of the defendant’s conduct, and . . . achieves such purposes of the criminal law as punishment, protection of the public, specific and general deterrence, and rehabilitation.”  The new policy makes clear that the goal of any prosecution is a sanction that is “sufficient, but not greater than necessary” to satisfy these considerations.  The Garland memo further provides that prosecutors should not file charges, or threaten to do so, simply to exert leverage to induce a plea.

The Garland memo reflects a continued departure from the prior administration’s policy, which provided that federal prosecutors “should charge and pursue the most serious, readily provable offense.”  The prior policy was revoked in January 2021 by then-acting U.S. Attorney General Monty Wilkinson.

The Garland memo, in short, appears to be embracing a policy of prosecutorial lenity, and could prove to be a useful tool going forward for the defense bar in plea negotiations and at sentencing.

Continue Reading Garland Memo, Emphasizing Prosecutorial Lenity, Reflects Significant DOJ Policy Shift

The Supreme Court of the United States will decide an issue impacting charging decisions in criminal cases involving technology and where those cases are tried. Specifically, the Supreme Court will decide whether criminal defendants may be retried after they are convicted in the wrong “venue,” i.e., the location where the trial took place. This constitutional venue requirement—and the Supreme Court’s ultimate decision on the remedy for violating it—will influence future cases involving technology, where defendants, victims, servers, and resources used to commit the crime are often in different states or even nations.

In the case at issue, the defendant allegedly hacked into a company’s website, obtained certain trade secrets, and offered to sell those trade secrets through various posts on social media. As with many crimes involving technology today, numerous locations were involved: the defendant remained entirely within the Southern District of Alabama, the victim-company was in the Northern District of Florida, and the victim-company’s hacked servers were in the Middle District of Florida. But where to conduct the trial? Based on the location of the victim-company’s headquarters, the government decided (incorrectly) to indict the defendant in the Northern District of Florida, on three counts: violation of the Computer Fraud and Abuse Act, theft of trade secrets, and extortion. At the end of trial, the jury convicted the defendant of the latter two counts.

On appeal, the U.S. Court of Appeals for the Eleventh Circuit held that for the trade-secrets conviction “venue was not proper in the Northern District of Florida because [the defendant] never committed any essential conduct in that location.” To remedy this violation, the court had two options: (1) vacate the conviction, allowing the defendant to be retried in a (supposedly) proper forum, or (2) acquit the defendant of his conviction in the improper forum, which would bar his retrial in another forum under the U.S. Constitution’s Double Jeopardy Clause that prohibits giving “the government . . . a second chance at prosecution.” The 11th Circuit chose the first option, endorsing a remedy that effectively allows the government, when it chooses the wrong venue, to retry a defendant in  the correct venue.

Continue Reading Venue Misstep Shows Complexity of Prosecuting Cybercrime: Supreme Court to Weigh In

On November 28, 2022, the Council of the European Union (EU) gave final approval to implement the EU Corporate Sustainability Reporting Directive (CSRD), ushering in a new, expanded environmental, social, and corporate governance (ESG) disclosure regime for many companies with a connection to Europe. In 2025, the CSRD will require many companies to file reports disclosing certain information for the 2024 fiscal year. Companies should review the CSRD disclosure requirements now to understand the scope of their obligations.  

Continue Reading The ESG Disclosure Wave: Final Approval for the EU’s Corporate Sustainability Reporting Directive

It should come as no surprise that much of the recent 2022 ACI Foreign Corrupt Practices Act (“FCPA”) conference centered around Department of Justice (DOJ) Deputy Attorney General Lisa Monaco’s September 15, 2022 memorandum (the “revised Monaco memo”) concerning updates to the DOJ’s corporate criminal enforcement policies.  Among other things, that memo directs components of DOJ to provide further guidance on (1) corporate compensation structures that promote compliance, (2) corporate use of personal devices and third-party applications, and (3) voluntary self-disclosure by corporations. Although attendees were hoping to receive that further guidance at the FCPA conference, the government stated only that it would be forthcoming. 

Of the three topics expected to be further clarified, many multi-national entities that have previously resolved FCPA or other regulatory violations are eagerly awaiting further guidance on voluntary self-disclosure and, in particular, whether recidivism is an aggravating factor that puts a guilty plea back on the table of possible outcomes for a corporation that otherwise voluntarily self-discloses, cooperates, and remediates. 

Continue Reading Is Corporate Recidivism an Aggravating Factor that Undermines the Potential Benefit of Voluntary Self-Disclosure to DOJ?  Time Will Tell.

The U.S. Department of Justice (DOJ) recently released new guidance announcing several policy changes to further strengthen and clarify its approach to prosecuting corporate crime. The guidance, released through a memorandum by Deputy Attorney General Lisa Monaco (the Monaco Memo), instructs prosecutors about factors to consider when evaluating corporate cooperation and compliance programs in the context of potential criminal resolutions.

Notably, the Monaco Memo advises that “prosecutors should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.” This guidance is applicable to all third-party text and social media messaging platforms, and it is especially significant given the recent proliferation of business use of ephemeral messaging applications that provide an option to have messages automatically disappear from a recipient’s conversation history.

Companies would be wise to promptly review their business communications policies and procedures, in light of both possible DOJ oversight, as well as emerging privacy, security, and employment law scrutiny.

Continue Reading Recent DOJ Guidance on Personal Devices and Third-Party Messaging Applications Applies to Any Company DOJ May Scrutinize

Just this week, the Securities and Exchange Commission announced its enforcement results from fiscal year 2022. The Commission recovered a record $6.4 billion in penalties and disgorgement from companies and individuals. The announcement touted the 760 total enforcement actions in FY 2022—a nine percent increase from the year before—and summarized areas of innovation and growth within the Enforcement Division. Two such areas are familiar refrains that are worth highlighting: (1) the SEC leveraging its investigative process—emphasizing its use of data analytics—to identify suspicious activity; and (2) its penalties against “gatekeepers” (i.e., individuals and companies who owe a heightened duty of trust and responsibility to clients and investors).

Continue Reading Play it again, SEC: Two Familiar Refrains from the FY 2022 Enforcement Results

On October 18, 2022, the Department of Justice (DOJ) announced a guilty plea by Lafarge, S.A., a French building materials company, and its Syria-based subsidiary, for providing material support to designated Foreign Terrorist Organizations. The case represents the first criminal prosecution of a company for providing material support to terrorism and demonstrates that the agency is putting teeth behind its recent pronouncements that that it will prioritize national security-related investigations.

Last year, the DOJ announced that one of the agency’s top priorities was fighting corporate crime, with an enhanced focus on national security issues.  As Deputy Attorney General Lisa Monaco explained, “[c]orporate crime has an increasing national security dimension — from the new role of sanctions and export control cases to cyber vulnerabilities that open companies up to foreign attacks.” In September 2022, the DOJ updated its enforcement guidance, notably confirming that misconduct posing a grave threat to national security will be an aggravating factor in deciding whether to take enforcement action in corporate criminal matters. The Lafarge case and other recent enforcement actions highlight the DOJ’s commitment to these principles and portend heightened focus on prosecuting corporations whose compliance and oversight missteps result in threats to U.S. national security.

Continue Reading DOJ Continues to Prioritize National Security-Related Cases with First Corporate Terrorism Support Prosecution

On September 27, 2022, the United States Securities and Exchange Commission (SEC) announced a settlement with Oracle Corporation (Oracle) to resolve allegations that its subsidiaries in India, Turkey, and the United Arab Emirates violated the Foreign Corrupt Practices Act (FCPA) by creating off-the-books slush funds and using those slush funds to bribe foreign government officials.

Without admitting or denying the SEC’s findings, Oracle agreed to cease and desist from violating the anti-bribery, books and records, and accounting provisions of the FCPA and to pay approximately $8 million in disgorgement and a $15 million penalty.

Notably for both attorneys and companies, the SEC’s order provides insights into how to design an effective corporate compliance program to minimize legal risk, including FCPA risk.

The SEC’s Findings

The SEC found that, from at least 2014 to 2019, Oracle’s subsidiaries in India, Turkey, and the United Arab Emirates “used discount schemes and sham marketing reimbursement payments” to finance slush funds, which were held by Oracle’s “channel partners” (i.e., distributors and resellers) in those markets. The subsidiaries transacted through these channel partners during the relevant period under Oracle’s indirect sales model, by which channel partners sell Oracle products to end customers. According to the SEC, the subsidiaries and the complicit channel partners used the slush funds—which employees of the subsidiaries referred to as the “buffer,” “moneybox,” “pool,” and “wallet”—to bribe government officials in return for business. Specifically, the SEC determined that, among other things, (i) employees of Oracle Turkey and Oracle UAE used slush funds to pay for travel for government officials, including to Oracle’s annual technology conference in California; (ii) an Oracle Turkey employee directed cash bribes to government officials; (iii) an Oracle UAE employee paid approximately $130,000 in bribes to the chief technology officer of a state-owned entity (SOE) in return for six contracts in 2018 and 2019; (iv) Oracle India employees funneled $330,000 to an entity known for paying government officials; and (v) an Oracle India employee maintained a spreadsheet indicating that $67,000 was available to make payments to a government official.

Continue Reading Key Compliance Takeaways from Oracle’s $23M FCPA Settlement with the SEC

The U.S. Securities and Exchange Commission (SEC) is putting some muscle behind Regulation Best Interest (Reg BI). On June 16, 2022, nearly two years after Reg BI went into effect, the SEC filed its first federal lawsuit to enforce the rule against a broker-dealer and its registered representatives.

The SEC sued Western International Securities, Inc. (Western), a dually registered broker-dealer and investment advisor, along with five of its registered representatives, in the U.S. District Court for the Central District of California for allegedly violating Reg BI’s care obligation; the defendants allegedly recommended certain high-risk, speculative bonds to retail customers without themselves fully understanding the associated asset risks and without establishing how the investments served the customers’ best interests. The SEC also charged Western with violating its compliance obligation under Reg BI for allegedly failing to maintain adequate policies and procedures and other controls.

The fact that the SEC sued registered representatives — notwithstanding allegations that their firm had inadequate internal controls and policies —  is a strong statement that individuals must use their best judgment to make their own independent inquiries and determinations about the products they recommend to their clients. Registered representatives cannot hide behind their firm’s guidance and control failures to escape primary liability under Reg BI.

Continue Reading SEC’s First Reg BI Lawsuit Takes Strong Position on Individual Liability