Despite a government shutdown that lasted almost the first four weeks of the year, 2019 proved eventful in the enforcement and regulatory space. Both the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) announced several policy changes, and, through both public pronouncements and filed actions, sent signals about their enforcement priorities going forward.
Below, we outline a number of events in 2019 that we expect will reverberate into 2020.
I. DOJ’s Codification of, and Revisions to, Corporate Policies
During 2019, DOJ codified or revised several policies related to corporate enforcement. The policy codification is a positive development in that it makes DOJ’s charging decisions more transparent. It also provides explicit guidance to entities implementing compliance programs and responding to potential misconduct. Below, we highlight two such DOJ policies that were amended or issued in 2019.
A. DOJ FCPA Corporate Enforcement Policy
In 2019, DOJ made two sets of revisions to the Foreign Corruption Practices Act Corporate Enforcement Policy (“CEP”), which was initially codified in 2017.1 While the CEP is explicitly applicable only to the FCPA, the CEP “provides nonbinding guidance” in all DOJ Criminal Division corporate matters, including in contexts when an acquiring company discovers misconduct at a target company, either before or after a merger or acquisition.
The CEP places a high premium on the prompt reporting of misconduct; specifically, it creates a presumption of declination when a corporate entity:
- voluntarily self discloses misconduct, meaning disclosure must occur, among other things, “prior to an imminent threat of disclosure [via other means] or government investigation”;
- “fully cooperat[es]” in DOJ’s investigation;
- undertakes “timely and appropriate remediation”; and
- disgorges any ill-gotten gains.
Even when DOJ concludes that criminal prosecution of a company is warranted, the CEP states that the company can obtain a significant reduction in its sentencing exposure if it voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated.
The two sets of 2019 amendments fined-tuned language surrounding the definitions of “voluntarily self-disclosure,” “full cooperation,” and remediation.2
The CEP’s promise of a presumption of declination clearly incentivizes speedy corporate cooperation. At the same time, for a company that discovers serious misconduct, the CEP highlights the stark choices between quickly reporting that misconduct (potentially alerting DOJ to conduct it did not otherwise know about), and not reporting that misconduct (and having DOJ learn about it from elsewhere) and then losing the presumption of declination. Obviously, the decision to report or not report can be assessed only in light of the facts and circumstances of a particular case.
Further, despite the 2019 fine-tuning, there remains a fair amount of gray area as to when a company actually qualifies for a presumption of declination. To its credit, however, recently DOJ has been at least somewhat transparent in explaining why the policy did not apply in certain cases. For example, in a recent FCPA corporate prosecution in the Eastern District of Virginia, the Department (i) noted that the defendant-company did not receive voluntary disclosure credit, (ii) outlined why the company would have received cooperation credit, but for the fact that the company “failed to meet reasonable deadlines imposed by [DOJ]”3 and “caused” “delays” “in reaching a resolution,” and (iii) “engaged in significant remedial measures.”4 See Deferred Prosecution, Agreement, United States v. Samsung Heavy Indus., No. 19 Cr. 328 (TSE) (E.D. Va. Nov. 22, 2019), ECF No. 16.
Further corporate resolutions in 2020 should provide additional insight into how DOJ is weighing the different policy factors.5
B. Guidance Regarding Corporate Compliance Programs
In April 2019, the DOJ also updated its guidance regarding the evaluation of Corporate Compliance Programs (the “Compliance Guidance”).6 This is significant because under DOJ policy, the adequacy and effectiveness of a compliance program is a factor prosecutors must consider when investigating a corporation.
The 2019 Compliance Guidance states that there are “three ‘fundamental questions’ a prosecutor should ask” in assessing a compliance program:
- “Is the corporation’s compliance program well-designed?”
- “Is the program being applied earnestly and in good faith? ‘In other words, is the program being implemented effectively?’”
- “Does the corporation’s compliance program work” in practice?
The Guidance goes on to give considerations relevant to each of these three questions. The factors that DOJ lists as indicative of a well-designed compliance program include, for example, the existence of risk-based assessments, anonymous internal reporting mechanisms, and risk-based compliance assessments of third-party relationships. As to whether a compliance program is being implemented effectively, the Guidance lists as important considerations, the commitment by senior and middle management, the autonomy and resources afforded to the compliance function, and the establishment of incentives for compliance and disciplinary measures for non-compliance. Finally, as to the factors relevant to whether a program works in practice, the Guidance lists “continuous improvement, periodic testing, and review;” the existence of a well-functioning and appropriately funded investigation mechanism; and the company’s efforts to remediate misconduct, including by making changes based on lessons learned from prior incidents.
In short, all companies would benefit from evaluating their compliance programs in light of the factors set out in the Guidance, to both prevent incidents from happening and, in the event of serious misconduct, to convince regulators that prosecution or other sanction of the company is not warranted.
II. Cyber-related Case Law and Investigations
2019 was an eventful year for the SEC in the cyber and digital asset space. Below we highlight two areas where the SEC took action in 2019.
First, we expect the SEC to continue to take an aggressive approach with respect to the registration of digital assets. The Enforcement Division’s 2019 Annual Report highlights a number of actions the SEC took in the past year against issuers of digital assets who have failed to comply with the registration requirements of the federal securities laws and emphasizes that “if a product is a security, regardless of the label attached to it, those who issue promote, or provide a platform for buying and selling that security must comply with the investor protection requirements of the federal securities laws.”7
As to the threshold question of whether a particular asset is in fact a “security,” such that it is subject to SEC regulation, it is possible that the courts may take a more restrictive view. Under the test developed over 70 years ago by the Supreme Court in SEC v. W. J. Howey Co., 328 U.S. 293 (1946), an instrument is an “investment contract” (and thus a “security”) only if it involves (i) an investment of money (ii) in a common enterprise (iii) expecting profits based on the efforts of others. In June 2019, the SEC sued digital-messaging platform Kik in the Southern District of New York, alleging that Kik had violated the securities laws by failing to register an offering of digital tokens.8 The action remains pending and has been vigorously litigated. Even if the SEC prevails, the Kik case may provide further guidance as to how courts will apply the Howey test to new types of assets.
Second, we may see securities enforcement actions against issuers that are, simultaneously, victims of cyber breaches. There have already been a number of such actions, including the 2018 action against Yahoo! for failing to disclose a 2014 data breach by Russian hackers affecting over 500 million users.9 Such actions—in which an entity is both a victim for some purposes and a potential defendant for others—raise a number of issues for which there is little guidance, either from the SEC or in case law. For example, when does a cyber breach become “material” such that it must be disclosed to investors? Relatedly, in some cases, there may be a potential conflict between the SEC’s disclosure-focused policies and the possible desire of the U.S. intelligence community or criminal authorities not to disclose details of the breach, either to allow an on-going investigation to continue and/or to deny cyber criminals from gaining intelligence on the success of their efforts. There is little agency guidance available to companies as to how to resolve such conflicts.
III. Continued Focus on Gatekeepers
We also expect to see additional SEC and DOJ investigations focused on “gatekeepers,” particularly both inside and outside accounting professionals. SEC Enforcement’s 2019 Annual Report emphasizes that “[g]atekeepers play a critical role in our markets, and policing their misconduct is a critical part of our mission” and that “auditors in particular play a key role, and it is essential that their independence and integrity failures be met forcefully.” The Report then cites, among other things, settled actions that the SEC brought in 2019 against two of the Big Four accounting firms.
We foresee no slowdown in this focus on gatekeepers in 2020. In last six weeks of 2019, the SEC filed three significant accounting fraud cases, each of which involved charges against the issuer’s current or former CFO, and parallel criminal actions against executives at the subject companies. In addition, a recent analysis of SEC comment letters—which can be a harbinger of future enforcement priorities—led some observers to conclude that the SEC may be preparing to crackdown on certain non-GAAP metrics.10
IV. Continued Investigations and Prosecutions at the Intersection of National Security and Traditional “White Collar” Offenses
In recent years there have been a number of prosecutions in which traditional “white collar” statutes like bank fraud and wire fraud were used to further aspects of U.S. national security strategy. We expect this trend to continue in 2020.
At a broad level, an example of this trend is the DOJ’s China Initiative, which was first announced in November 2018. The Initiative “reflects the Department’s strategic priority of countering Chinese national security threats . . . .” in particular through criminal prosecutions.11
In early 2019, DOJ charged China-based Huawei Technologies Co. Ltd. (Huawei), certain affiliates, and Huawei’s CFO, based on Huawei’s allegedly hiding the fact that some its operations in Iran violated U.S. sanctions law and regulations. The CFO was not charged with sanctions-related offenses. Instead she was indicted for bank fraud, wire fraud, and conspiracy to commit those offenses—based on a theory that she schemed to deceive U.S. financial institutions about the extent of Huawei’s Iranian operations.12
Similarly, in 2018, prosecutors in the Southern District of New York charged an Iranian national, Ali Sadr Hasemi Nejad (“Sadr”) for participating in a scheme in which payments for a project in Venezuela were routed through the U.S. financial system, to benefit Iranian individuals and entities, again in violation of U.S. sanctions law and regulations. Like in the Huawei case, the charges against Sadr included, among other things, bank fraud and conspiracy to commit bank fraud, based on Sadr’s allegedly inducing U.S. financial institutions to engage in prohibited transactions through deceptive means.13
For U.S. entities, prosecutions like Huawei and Sadr highlight the need for diligence in transactions involving China, Iran, Venezuela, and other countries that are subject to U.S. sanctions, and the fact that U.S. prosecutors (and, presumably, intelligence agencies) are keeping a close eye on such transactions.
As discussed in a previous client alert,14 in November, the Supreme Court agreed to hear a case concerning whether the SEC can obtain disgorgement as a remedy in federal district court proceedings. For over 40 years, the SEC has relied on disgorgement orders in federal district court proceedings to obtain tens of millions of dollars from individuals and entities alleged to have violated the securities laws. A holding that the SEC cannot obtain disgorgement would have significant effects, although the SEC could still obtain disgorgement in administrative proceedings, and there is proposed legislation in Congress that would give the SEC authority to obtain disgorgement in the district courts, regardless of any Supreme Court decision.
1 See FCPA Corporate Enforcement Policy, available at https://www.justice.gov/jm/jm-9-47000-foreign-corrupt-practices-act-1977#9-47.120.
2 For example, the policy initially required a company disclose “all relevant facts” to qualify for “voluntarily self-disclosure” credit. In the 2019 amendments, DOJ modified this phrase to “all relevant facts at the time of the disclosure” and explicitly “recognize[d] that a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure, especially where only preliminary investigative efforts have been possible.” (emphases added). In short, these changes indicate that to obtain full credit under the policy, a prompt disclosure (with sufficient caveats regarding the preliminary nature of the findings) may be preferable to a long investigation, at least in some cases.
3 The factors that did indicate full cooperation were the company’s “(i) conducting a thorough internal investigation; (ii) making regular factual presentations to the Fraud Section; (iii) voluntarily making foreign-based employees available for interviews in the United States; and (iv) producing relevant documents to [DOJ] from foreign countries accompanied by translations of key documents . . . .” See Deferred Prosecution Agreement, United States v. Samsung Heavy Indus., No. 19 Cr. 328 (TSE) (E.D. Va. Nov. 22, 2019), ECF No. 16 4(b).
4 Among the remedial measures cited were “(i) making significant enhancements to the Company’s compliance program, including by hiring additional compliance staff, implementing enhanced anti-corruption policies and improved whistleblower policies and procedures, and instituting mandatory anti-corruption training for all employees, and (ii) the enactment of controls, including the implementation of heightened due diligence controls over third party vendors, including review by compliance professionals.” Id. 4(d).
5 In addition, inasmuch as the Corporate Enforcement Policy applies to all corporate prosecutions, it bears noting that DOJ policy—the Principles of Federal Prosecution of Business Organizations—which DOJ has traditionally used to determine whether to bring charges against business organizations, remains alive and well. See Justice Manual § 9-28.300. The Principles require prosecutors to consider some factors that the Corporate Enforcement Policy does not, including for example, “collateral consequences” of a prosecution on non-culpable corporate stakeholders. Counsel should be on guard that a failure to qualify for a presumption of declination under the Corporate Enforcement Policy does not rule out a declination, without considering the Principles.
6 See U.S. Dep’t of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, available at https://www.justice.gov/criminal-fraud/page/file/937501/download
7 SEC Division of Enforcement, 2019 Annual Report, at 6, available at https://www.sec.gov/files/enforcement-annual-report-2019.pdf.
8 See SEC v. Kik Interactive Inc., No. 19 Civ. 5244 (AKH) (S.D.N.Y.).
9 See In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc., (SEC Apr. 24, 2018).
10 See SEC May Be Set to Crackdown on Companies That Adjust Revenue, marketwatch.com, Nov. 26, 2019, available at https://www.marketwatch.com/story/sec-may-be-set-to-crack-down-on-companies-that-adjust-revenue-2019-11-22
11 See Department of Justice China Initiative Fact Sheet, available at https://www.justice.gov/opa/page/file/1122686/download
12 See Indictment, United States v. Huawei Tech. Co., Ltd., et al., No. S2 18 Cr. 457 (AMD) (E.D.N.Y.).
13 See Indictment, United States v. Ali Sadr Hashemi Nejad, No. 18 Cr. 224 (ALC) (S.D.N.Y.).
14 See https://bakerbotts.com/insights/publications/2019/november/disgorgement-on-the-chopping-block-again.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy and technology sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.