The U.S. Department of Justice (DOJ) recently released new guidance announcing several policy changes to further strengthen and clarify its approach to prosecuting corporate crime. The guidance, released through a memorandum by Deputy Attorney General Lisa Monaco (the Monaco Memo), instructs prosecutors about factors to consider when evaluating corporate cooperation and compliance programs in the context of potential criminal resolutions.

Notably, the Monaco Memo advises that “prosecutors should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.” This guidance is applicable to all third-party text and social media messaging platforms, and it is especially significant given the recent proliferation of business use of ephemeral messaging applications that provide an option to have messages automatically disappear from a recipient’s conversation history.

Companies would be wise to promptly review their business communications policies and procedures, in light of both possible DOJ oversight, as well as emerging privacy, security, and employment law scrutiny.

Who Is Covered?

Although many regulated entities such as broker-dealers and public companies already have record-keeping requirements under the securities laws and other applicable regulations, the Monaco Memo’s pronouncement is applicable to all companies with any nexus to the United States. Indeed, any company—regardless of size, industry, or location—that may find itself one day before the DOJ seeking to show that it has a robust and effective compliance program would be wise to thoroughly review its policies regarding the use of personal devices and third-party messaging applications. Failure to adopt appropriate policies in this regard would violate now-clearly stated DOJ expectations, resulting in a loss of credit for an effective compliance program in the context of a future DOJ investigation into the company’s conduct.

What Is Required?

In describing the DOJ’s expectations, the Monaco Memo states: “As a general rule, all corporations with robust compliance programs should have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications, should provide clear training to employees about such policies, and should enforce such policies when violations are identified.”

The memo does not elaborate beyond those general guidelines. Instead, the Criminal Division will study best corporate practices regarding the use of personal devices and third-party messaging platforms and publish its findings in the next edition of its Evaluation of Corporate Compliance Programs.

How Should Firms Proceed?

While they wait for the DOJ to issue its findings, however, companies are not entirely without guidance in this area. Less than two weeks after the Monaco Memo was released, the U.S. Securities and Exchange Commission (SEC) and the U.S. Commodity Futures Trading Commission (CFTC) announced settlements with numerous financial institutions that had failed to preserve and supervise their employees’ business communications on personal devices and third-party messaging platforms. As part of the settlements, each of the settling firms agreed to undertake certain remedial measures, including reviewing and improving their policies, training, technological solutions, surveillance, and discipline regarding business communications. In the absence of more specific requirements from the DOJ, those undertakings may serve as an emerging roadmap for what an effective personal devices and third-party messaging platforms compliance program should include.

Establish Clear Policies

Firms should ensure their written policies require all business communications to be preserved for a specified period of time, no matter the platform used. Companies should consider policies not only for employees, but also for directors and independent contractors (collectively referred to as “workforce members”). It may be advisable to have workforce members periodically acknowledge receipt and understanding of, and compliance with, these policies.

The policies should define what constitutes a “business communication” and clearly identify which devices and applications are permitted and which are prohibited. Permitted applications should be limited to those that the firm can use to collect and produce business communications in a reliable and timely fashion. In identifying permitted platforms, companies should solicit input from key departments such as information technology (IT) and security, human resources, and legal (especially with respect to enforcement of data subject rights and litigation holds).

The policies should make clear that if a workforce member stores any business information on their personal device or uses an unauthorized device or third-party messaging platform for business, the company will have the right to access the device and copy relevant data. If a workforce member deviates from policy, they should be subject to discipline, up to and including termination of employment. Companies also should evaluate realistically whether they have sufficient resources to monitor compliance with the policies.

Business communications policies often have profound employment law implications. For example, an employer may have wage-and-hour issues if hourly workers receive or respond to business communications while “off the clock.” Similarly, workforce members may be entitled to on-call pay while they are waiting for instructions or interrupting protected sick or family leave. And even in a nonunion setting, employer surveillance of business communications may lead to potential violations of the National Labor Relations Act (NLRA). Companies should ensure that their business communications policy is consistent with any employee handbook and a multitude of other policies, including but not limited to: bring your own device (BYOD), acceptable use, social media, confidentiality, privacy, and record retention.

Comply With Existing Record-Keeping Obligations

As a baseline, companies should make sure they are complying with all industry or location-specific record-keeping obligations. For example, federal securities laws require public companies to make and keep accurate “books, records and accounts.” Certain employers may be subject to detailed rules requiring administrative, technical, and physical safeguards around data privacy and security and extended data retention periods, such as those applicable to healthcare companies under the Health Insurance Portability and Accountability Act (HIPAA) and financial institutions under the Gramm-Leach-Bliley Act (GLBA).

Beginning January 1, 2023, in sweeping legislation that is the first of its kind, the California Privacy Rights Act (CPRA) will require certain companies to extend data subject rights to applicants, employees, and independent contractors residing in California. That law, and its forthcoming regulations, will contain new obligations regarding data tracking, retention, and disclosure that will make the distinction between business records and personally identifiable information even more important. Similar legislation is expected in other jurisdictions in the near future, and the cost and burden on companies to comply with these requirements can be significant.

As new record-keeping requirements are adopted by state and federal regulators, companies should continuously monitor and update their business communications policies to ensure they meet evolving standards in this area.

Provide Adequate Training

Companies should provide clear, periodic training on the policies and provide resources where workforce members can turn with questions. Importantly, firms should ensure that senior management and supervisors understand the policies and are setting the right tone from the top. As the Monaco Memo states, the DOJ will be especially focused on “how senior leaders have, through their words and actions, encouraged or discouraged compliance.”

Research Technological Solutions

Where companies know or reasonably should know that their workforce members use texting and ephemeral messaging applications for business, they should assess the relevant technology and offer workforce members options that allow critical business data to be collected and retained. In many countries, the use of ephemeral applications has become so ubiquitous that they have surpassed traditional text messaging and voice calls.

Companies should evaluate whether to provide workforce members firm-issued mobile phones pre-loaded with applications designed to retain or encrypt data, or to permit workforce members to BYOD as long as they install firm-mandated software that “sandboxes” and retains company data in an isolated environment. Businesses that adopt BYOD environments also should be mindful of state and local laws that require reimbursement of costs workforce members incur for business-related technology and service plans.

Monitor and Enforce Compliance

The Monaco Memo states that the DOJ will be looking at whether the company has “enforced” its policies when violations are identified. To do so, companies will need to find an appropriate, risk-based process for monitoring workforce members’ compliance with the policies. Importantly, the policies should be enforced with appropriate discipline when violated, regardless of the workforce member’s title. Inconsistent application of the policy could subject the employer to claims of employment discrimination, as well as generally undermining any claim that the company is committed to these policies and their effectiveness.

Each company has unique policies, procedures, risk tolerances, and corporate culture with respect to business communications. Given the multidisciplinary issues and high stakes involved in light of the DOJ’s recent guidance, companies should work closely with experienced counsel to balance compliance risk with business necessity.

Just this week, the Securities and Exchange Commission announced its enforcement results from fiscal year 2022. The Commission recovered a record $6.4 billion in penalties and disgorgement from companies and individuals. The announcement touted the 760 total enforcement actions in FY 2022—a nine percent increase from the year before—and summarized areas of innovation and growth within the Enforcement Division. Two such areas are familiar refrains that are worth highlighting: (1) the SEC leveraging its investigative process—emphasizing its use of data analytics—to identify suspicious activity; and (2) its penalties against “gatekeepers” (i.e., individuals and companies who owe a heightened duty of trust and responsibility to clients and investors).

Continue Reading Play it again, SEC: Two Familiar Refrains from the FY 2022 Enforcement Results

On October 18, 2022, the Department of Justice (DOJ) announced a guilty plea by Lafarge, S.A., a French building materials company, and its Syria-based subsidiary, for providing material support to designated Foreign Terrorist Organizations. The case represents the first criminal prosecution of a company for providing material support to terrorism and demonstrates that the agency is putting teeth behind its recent pronouncements that that it will prioritize national security-related investigations.

Last year, the DOJ announced that one of the agency’s top priorities was fighting corporate crime, with an enhanced focus on national security issues.  As Deputy Attorney General Lisa Monaco explained, “[c]orporate crime has an increasing national security dimension — from the new role of sanctions and export control cases to cyber vulnerabilities that open companies up to foreign attacks.” In September 2022, the DOJ updated its enforcement guidance, notably confirming that misconduct posing a grave threat to national security will be an aggravating factor in deciding whether to take enforcement action in corporate criminal matters. The Lafarge case and other recent enforcement actions highlight the DOJ’s commitment to these principles and portend heightened focus on prosecuting corporations whose compliance and oversight missteps result in threats to U.S. national security.

Continue Reading DOJ Continues to Prioritize National Security-Related Cases with First Corporate Terrorism Support Prosecution

On September 27, 2022, the United States Securities and Exchange Commission (SEC) announced a settlement with Oracle Corporation (Oracle) to resolve allegations that its subsidiaries in India, Turkey, and the United Arab Emirates violated the Foreign Corrupt Practices Act (FCPA) by creating off-the-books slush funds and using those slush funds to bribe foreign government officials.

Without admitting or denying the SEC’s findings, Oracle agreed to cease and desist from violating the anti-bribery, books and records, and accounting provisions of the FCPA and to pay approximately $8 million in disgorgement and a $15 million penalty.

Notably for both attorneys and companies, the SEC’s order provides insights into how to design an effective corporate compliance program to minimize legal risk, including FCPA risk.

The SEC’s Findings

The SEC found that, from at least 2014 to 2019, Oracle’s subsidiaries in India, Turkey, and the United Arab Emirates “used discount schemes and sham marketing reimbursement payments” to finance slush funds, which were held by Oracle’s “channel partners” (i.e., distributors and resellers) in those markets. The subsidiaries transacted through these channel partners during the relevant period under Oracle’s indirect sales model, by which channel partners sell Oracle products to end customers. According to the SEC, the subsidiaries and the complicit channel partners used the slush funds—which employees of the subsidiaries referred to as the “buffer,” “moneybox,” “pool,” and “wallet”—to bribe government officials in return for business. Specifically, the SEC determined that, among other things, (i) employees of Oracle Turkey and Oracle UAE used slush funds to pay for travel for government officials, including to Oracle’s annual technology conference in California; (ii) an Oracle Turkey employee directed cash bribes to government officials; (iii) an Oracle UAE employee paid approximately $130,000 in bribes to the chief technology officer of a state-owned entity (SOE) in return for six contracts in 2018 and 2019; (iv) Oracle India employees funneled $330,000 to an entity known for paying government officials; and (v) an Oracle India employee maintained a spreadsheet indicating that $67,000 was available to make payments to a government official.

Continue Reading Key Compliance Takeaways from Oracle’s $23M FCPA Settlement with the SEC

The U.S. Securities and Exchange Commission (SEC) is putting some muscle behind Regulation Best Interest (Reg BI). On June 16, 2022, nearly two years after Reg BI went into effect, the SEC filed its first federal lawsuit to enforce the rule against a broker-dealer and its registered representatives.

The SEC sued Western International Securities, Inc. (Western), a dually registered broker-dealer and investment advisor, along with five of its registered representatives, in the U.S. District Court for the Central District of California for allegedly violating Reg BI’s care obligation; the defendants allegedly recommended certain high-risk, speculative bonds to retail customers without themselves fully understanding the associated asset risks and without establishing how the investments served the customers’ best interests. The SEC also charged Western with violating its compliance obligation under Reg BI for allegedly failing to maintain adequate policies and procedures and other controls.

The fact that the SEC sued registered representatives — notwithstanding allegations that their firm had inadequate internal controls and policies —  is a strong statement that individuals must use their best judgment to make their own independent inquiries and determinations about the products they recommend to their clients. Registered representatives cannot hide behind their firm’s guidance and control failures to escape primary liability under Reg BI.

Continue Reading SEC’s First Reg BI Lawsuit Takes Strong Position on Individual Liability

On September 29, 2022, the Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued its highly anticipated Final Rule implementing the beneficial ownership information (“BOI”) reporting requirements of the Corporate Transparency Act (“CTA”) legislation. The Final Rule brings about the most significant revisions to the U.S. anti-money laundering/countering the financing of terrorism (“AML/CFT”) compliance framework in more than 20 years, implementing sweeping beneficial ownership disclosure requirements applicable to all U.S. companies and foreign companies doing business with or within the U.S.

The Final Rule generally tracks FinCEN’s earlier Proposed Rule from December 7, 2021, discussed in our prior article here, although there have been a few amendments to the earlier proposal. Below we provide a brief summary of key provisions and takeaways from the Final Rule, which goes into effect on January 1, 2024.

Continue Reading FinCEN Issues Highly Anticipated Final Rule on Beneficial Ownership Reporting under the Corporate Transparency Act

On September 15, 2022, Deputy Attorney General (DAG) Lisa Monaco, announced several significant policy updates impacting the U.S. Department of Justice’s (DOJ) enforcement practices for both corporations and individuals. Speaking to attendees at the NYU Program on Corporate Compliance and Enforcement (PCCE), DAG Monaco detailed a series of initiatives, some of which appear to have emerged from the Corporate Crime Advisory Group formed last fall to conduct a full-scale review of the DOJ’s corporate enforcement efforts. The DOJ simultaneously released a memorandum outlining the guidance announced by DAG Monaco. 

The new guidance bolsters enforcement priorities that DAG Monaco has emphasized over the past year. As discussed in further detail below, the Department’s policy updates are substantive and have significant ramifications on both the individual and corporate level, including: (1) continued focus on individual accountability; (2) enhanced policies to predictably reward voluntary self-disclosure; (3) further clarity on the impact of corporate recidivism considerations on negotiated resolutions with the DOJ; and (4) new metrics for evaluating effective corporate compliance, including compliance conscious compensation structures and policies on the use of personal devices and third party messaging applications.

Continue Reading DOJ Announces Sweeping Policy Updates Targeting Corporate Criminal Enforcement and Individual Accountability

The DOJ recently garnered a win in its spoofing case against two precious metals traders who prosecutors alleged had engaged in widespread market manipulation and fraud through a practice known as “spoofing.” But the verdict is also in on the DOJ’s novel attempt utilize racketeering charges against traders accused of spoofing: the jury found the defendants not guilty of the alleged RICO violations. While the case highlights the DOJ’s continued crackdown on market manipulation schemes, it also illustrates the limits of the government’s reach.

Background

The DOJ’s case against the traders dates back to 2019, when prosecutors unveiled sweeping charges alleging that the traders had engaged in thousands of deceptive trading sequences for gold, silver, platinum, and palladium futures contracts between May 2008 and August 2016.  The DOJ alleged that by engaging in these practices, the traders violated the Commodity Exchange Act’s anti-spoofing provisions, which prohibit disruptive trading practices, including “bidding or offering with the intent to cancel the bid or offer before execution.” 

However, in addition to the usual spoofing and other financial crime-related offenses, the indictment charged the traders with a racketeering conspiracy.  When the indictment became public back in 2019, commentators predicted that the DOJ’s inclusion of RICO charges could make the government’s case simpler to prove.  Instead of convincing the jury through a complicated series of orders, cancellations, price movements, and trades (i.e., the typical evidence used to establish a pattern of spoofing), the path to conviction under the RICO Act was supposed to be more straightforward.  In this case, the indictment alleged that “the defendants and their co-conspirators were members of an enterprise—namely, the precious metals desk at [the bank]—and conducted the affairs of the desk through a pattern of racketeering activity, specifically, wire fraud affecting a financial institution and bank fraud.”

Continue Reading DOJ Secures Spoofing Conviction, but Loses on Novel RICO Charges

In a criminal case against two former officers of Cognizant Technology Solutions Corp. (Cognizant), a New Jersey federal district court recently ordered Cognizant to produce unredacted internal interview memorandums and notes prepared by its outside counsel. The court found that the company had waived attorney-client privilege and work-product protection over those documents by disclosing the information contained in them to the U.S. Department of Justice (DOJ). The decision is a cautionary reminder to companies of the risk of waiving privilege when cooperating with the government.

Continue Reading Court Holds Oral Downloads of Witness Interviews Waive Corporate Privilege