Despite a government shutdown that lasted almost the first four weeks of the year, 2019 proved eventful in the enforcement and regulatory space. Both the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) announced several policy changes, and, through both public pronouncements and filed actions, sent signals about their enforcement priorities going forward.

Below, we outline a number of events in 2019 that we expect will reverberate into 2020.

I. DOJ’s Codification of, and Revisions to, Corporate Policies

During 2019, DOJ codified or revised several policies related to corporate enforcement. The policy codification is a positive development in that it makes DOJ’s charging decisions more transparent. It also provides explicit guidance to entities implementing compliance programs and responding to potential misconduct. Below, we highlight two such DOJ policies that were amended or issued in 2019.

A. DOJ FCPA Corporate Enforcement Policy

In 2019, DOJ made two sets of revisions to the Foreign Corruption Practices Act Corporate Enforcement Policy (“CEP”), which was initially codified in 2017.¹ While the CEP is explicitly applicable only to the FCPA, the CEP “provides nonbinding guidance” in all DOJ Criminal Division corporate matters, including in contexts when an acquiring company discovers misconduct at a target company, either before or after a merger or acquisition.

The CEP places a high premium on the prompt reporting of misconduct; specifically, it creates a presumption of declination when a corporate entity:

1. voluntarily self discloses misconduct, meaning disclosure must occur, among other things, “prior to an imminent threat of disclosure [via other means] or government investigation”;
   
   
2. “fully cooperat[es]” in DOJ’s investigation;
   
   
3. undertakes “timely and appropriate remediation”; and
   
   
4. disgorges any ill-gotten gains.

Even when DOJ concludes that criminal prosecution of a company is warranted, the CEP states that the company can obtain a significant reduction in its sentencing exposure if it voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated.

The two sets of 2019 amendments fined-tuned language surrounding the definitions of “voluntarily self-disclosure,” “full cooperation,” and remediation.²

The CEP’s promise of a presumption of declination clearly incentivizes speedy corporate cooperation. At the same time, for a company that discovers serious misconduct, the CEP highlights the stark choices between quickly reporting that misconduct (potentially alerting DOJ to conduct it did not otherwise know about), and not reporting that misconduct (and having DOJ learn about it from elsewhere) and then losing the presumption of declination. Obviously, the decision to report or not report can be assessed only in light of the facts and circumstances of a particular case.

Further, despite the 2019 fine-tuning, there remains a fair amount of gray area as to when a company actually qualifies for a presumption of declination. To its credit, however, recently DOJ has been at least somewhat transparent in explaining why the policy did not apply in certain cases. For example, in a recent FCPA corporate prosecution in the Eastern District of Virginia, the Department (i) noted that the defendant-company did not receive voluntary disclosure credit, (ii) outlined why the company would have received cooperation credit, but for the fact that the company “failed to meet reasonable deadlines imposed by [DOJ]”³ and “caused” “delays” “in reaching a resolution,” and (iii) “engaged in significant remedial measures.”⁴ See Deferred Prosecution, Agreement, United States v. Samsung Heavy Indus., No. 19 Cr. 328 (TSE) (E.D. Va. Nov. 22, 2019), ECF No. 16. 

Further corporate resolutions in 2020 should provide additional insight into how DOJ is weighing the different policy factors.⁵

B. Guidance Regarding Corporate Compliance Programs

In April 2019, the DOJ also updated its guidance regarding the evaluation of Corporate Compliance Programs (the “Compliance Guidance”).⁶ This is significant because under DOJ policy, the adequacy and effectiveness of a compliance program is a factor prosecutors must consider when investigating a corporation.

The 2019 Compliance Guidance states that there are “three ‘fundamental questions’ a prosecutor should ask” in assessing a compliance program:

1. “Is the corporation’s compliance program well-designed?”
   
   
2. “Is the program being applied earnestly and in good faith? ‘In other words, is the program being implemented effectively?’”
   
   
3. “Does the corporation’s compliance program work” in practice?

The Guidance goes on to give considerations relevant to each of these three questions. The factors that DOJ lists as indicative of a well-designed compliance program include, for example, the existence of risk-based assessments, anonymous internal reporting mechanisms, and risk-based compliance assessments of third-party relationships. As to whether a compliance program is being implemented effectively, the Guidance lists as important considerations, the commitment by senior and middle management, the autonomy and resources afforded to the compliance function, and the establishment of incentives for compliance and disciplinary measures for non-compliance. Finally, as to the factors relevant to whether a program works in practice, the Guidance lists “continuous improvement, periodic testing, and review;” the existence of a well-functioning and appropriately funded investigation mechanism; and the company’s efforts to remediate misconduct, including by making changes based on lessons learned from prior incidents.

In short, all companies would benefit from evaluating their compliance programs in light of the factors set out in the Guidance, to both prevent incidents from happening and, in the event of serious misconduct, to convince regulators that prosecution or other sanction of the company is not warranted.

II. Cyber-related Case Law and Investigations

2019 was an eventful year for the SEC in the cyber and digital asset space. Below we highlight two areas where the SEC took action in 2019.

First, we expect the SEC to continue to take an aggressive approach with respect to the registration of digital assets. The Enforcement Division’s 2019 Annual Report highlights a number of actions the SEC took in the past year against issuers of digital assets who have failed to comply with the registration requirements of the federal securities laws and emphasizes that “if a product is a security, regardless of the label attached to it, those who issue promote, or provide a platform for buying and selling that security must comply with the investor protection requirements of the federal securities laws.”⁷

As to the threshold question of whether a particular asset is in fact a “security,” such that it is subject to SEC regulation, it is possible that the courts may take a more restrictive view. Under the test developed over 70 years ago by the Supreme Court in SEC v. W. J. Howey Co., 328 U.S. 293 (1946), an instrument is an “investment contract” (and thus a “security”) only if it involves (i) an investment of money (ii) in a common enterprise (iii) expecting profits based on the efforts of others. In June 2019, the SEC sued digital-messaging platform Kik in the Southern District of New York, alleging that Kik had violated the securities laws by failing to register an offering of digital tokens.⁸ The action remains pending and has been vigorously litigated. Even if the SEC prevails, the Kik case may provide further guidance as to how courts will apply the Howey test to new types of assets.

Second, we may see securities enforcement actions against issuers that are, simultaneously, victims of cyber breaches. There have already been a number of such actions, including the 2018 action against Yahoo! for failing to disclose a 2014 data breach by Russian hackers affecting over 500 million users.⁹ Such actions—in which an entity is both a victim for some purposes and a potential defendant for others—raise a number of issues for which there is little guidance, either from the SEC or in case law. For example, when does a cyber breach become “material” such that it must be disclosed to investors? Relatedly, in some cases, there may be a potential conflict between the SEC’s disclosure-focused policies and the possible desire of the U.S. intelligence community or criminal authorities not to disclose details of the breach, either to allow an on-going investigation to continue and/or to deny cyber criminals from gaining intelligence on the success of their efforts. There is little agency guidance available to companies as to how to resolve such conflicts.

III. Continued Focus on Gatekeepers

We also expect to see additional SEC and DOJ investigations focused on “gatekeepers,” particularly both inside and outside accounting professionals. SEC Enforcement’s 2019 Annual Report emphasizes that “[g]atekeepers play a critical role in our markets, and policing their misconduct is a critical part of our mission” and that “auditors in particular play a key role, and it is essential that their independence and integrity failures be met forcefully.” The Report then cites, among other things, settled actions that the SEC brought in 2019 against two of the Big Four accounting firms.

We foresee no slowdown in this focus on gatekeepers in 2020. In last six weeks of 2019, the SEC filed three significant accounting fraud cases, each of which involved charges against the issuer’s current or former CFO, and parallel criminal actions against executives at the subject companies. In addition, a recent analysis of SEC comment letters—which can be a harbinger of future enforcement priorities—led some observers to conclude that the SEC may be preparing to crackdown on certain non-GAAP metrics.¹⁰

IV. Continued Investigations and Prosecutions at the Intersection of National Security and Traditional “White Collar” Offenses

In recent years there have been a number of prosecutions in which traditional “white collar” statutes like bank fraud and wire fraud were used to further aspects of U.S. national security strategy. We expect this trend to continue in 2020.

At a broad level, an example of this trend is the DOJ’s China Initiative, which was first announced in November 2018. The Initiative “reflects the Department’s strategic priority of countering Chinese national security threats . . . .” in particular through criminal prosecutions.¹¹

In early 2019, DOJ charged China-based Huawei Technologies Co. Ltd. (Huawei), certain affiliates, and Huawei’s CFO, based on Huawei’s allegedly hiding the fact that some its operations in Iran violated U.S. sanctions law and regulations. The CFO was not charged with sanctions-related offenses. Instead she was indicted for bank fraud, wire fraud, and conspiracy to commit those offenses—based on a theory that she schemed to deceive U.S. financial institutions about the extent of Huawei’s Iranian operations.¹²

Similarly, in 2018, prosecutors in the Southern District of New York charged an Iranian national, Ali Sadr Hasemi Nejad (“Sadr”) for participating in a scheme in which payments for a project in Venezuela were routed through the U.S. financial system, to benefit Iranian individuals and entities, again in violation of U.S. sanctions law and regulations. Like in the Huawei case, the charges against Sadr included, among other things, bank fraud and conspiracy to commit bank fraud, based on Sadr’s allegedly inducing U.S. financial institutions to engage in prohibited transactions through deceptive means.¹³

For U.S. entities, prosecutions like Huawei and Sadr highlight the need for diligence in transactions involving China, Iran, Venezuela, and other countries that are subject to U.S. sanctions, and the fact that U.S. prosecutors (and, presumably, intelligence agencies) are keeping a close eye on such transactions.

V. Disgorgement

As discussed in a previous client alert,¹⁴ in November, the Supreme Court agreed to hear a case concerning whether the SEC can obtain disgorgement as a remedy in federal district court proceedings. For over 40 years, the SEC has relied on disgorgement orders in federal district court proceedings to obtain tens of millions of dollars from individuals and entities alleged to have violated the securities laws. A holding that the SEC cannot obtain disgorgement would have significant effects, although the SEC could still obtain disgorgement in administrative proceedings, and there is proposed legislation in Congress that would give the SEC authority to obtain disgorgement in the district courts, regardless of any Supreme Court decision.    

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.