Corporate Investigations and Improved Compliance Programs Provide Opportunities to Mitigate Exposure

Publication Publication



Recent Department of Justice (DOJ) pronouncements, as well as older Federal Acquisition Regulation (FAR) requirements, present both duties and opportunities for organizations to investigate and report fraudulent or other misconduct. Companies may find that with the opportunities the FAR and DOJ guidance provide, there are also costly obligations to achieve compliance and mitigation of exposure. In this article, we provide recommendations about how to best comply with these obligations and take advantage of the associated opportunities to mitigate risk. In addition, we look at potential complications that might result from the incentivization of organizations to obtain cooperation credit.

On May 7, 2019, the DOJ provided guidance to companies targeted for civil FCA prosecution. In announcing the guidance, Assistant Attorney General Jody Hunt acknowledged that the recommendations "incentivize companies to voluntarily disclose misconduct and cooperate with [government] investigations." Hunt summarized the benefits to FCA defendants as follows:

False Claims Act defendants may merit a more favorable resolution by providing meaningful assistance to the Department of Justice – from voluntary disclosure, which is the most valuable form of cooperation, to various other efforts, including the sharing of information gleaned from an internal investigation and taking remedial steps through new or improved compliance programs.

Cooperation credit may be obtained by voluntarily disclosing relevant information such as the identity of individuals whose conduct is suspect and sharing the results of internal investigations with the government. With this cooperation, remediation of the conduct, and compliance enhancements, companies may pay less, possibly even single damages, to resolve the matter. The May 7, 2019, changes are codified in Section 4-4.112 of the DOJ's Justice Manual. 

Voluntary Disclosure and Cooperation

For government contractors, the obligation to disclose criminal conduct and violations of the FCA is not new. Government contractors have an affirmative FAR obligation to:

timely disclose, in writing, to the Office of the Inspector General (OIG), with a copy to the Contracting Officer, whenever, in connection with the award, performance, or closeout of this contract or any subcontract thereunder, the Contractor has credible evidence that a principal, employee, agent, or subcontractor of the Contractor [employee or agent] has committed:

(A) A violation of federal criminal law involving fraud, conflict of interest, bribery, or gratuity violations found in Title 18 of the United States Code; or
(B) A violation of the civil False Claims Act (31 U.S.C. 3729-3733). See FAR 52.203-13.

In addition to the FAR's Mandatory Disclosure Rule, the DOJ's recent changes to the "Yates Memo," originally issued in 2015, highly incentivize contractors and other companies to fully investigate potential criminal violations, coordinate their investigations with the government, and share all of the results with the government. In comments on November 29, 2018, announcing the DOJ's changes to the "Yates Memo," Deputy Attorney General Rod Rosenstein said:

A[ny] company seeking cooperation credit in criminal cases must identify every individual who was substantially involved in or responsible for the criminal conduct. (Emphasis added.)

While the qualification to report only "substantially involved" employees narrowed the Yates Memo's requirement, significant time and effort to investigate are still the obligation of government contractors and other organizations.

How far cooperation for credit under the May 7, 2019, guidance must go to qualify, however, remains to be seen. Key factors for establishing "material assistance" under the new guidance include:

  • is disclosure timely and voluntary;
  • is it truthful, complete, and reliable;
  • what are the details; and
  • how significant and useful is it.

Remaining questions to consider for taking advantage of opportunities to mitigate FCA liability by full cooperation include, but are not limited to:

  • when to make a disclosure;
  • how to measure "substantial involvement";
  • whether and when to disclose third-party (agent, competitor, vendor, customer) conduct;
  • what documents to preserve and for how long;
  • whether to provide witnesses for interviews or testimony or to name sources;
  • whether to affirmatively (and even publicly in press releases and settlement documents) accept responsibility; and
  • how to anticipate and weigh the costs in attorney's fees and experts; distraction of employees, management, and board members; and adverse publicity, including effects on investor and customer relations/disclosure.

Remediation of the Conduct and Compliance Program Enhancements

In addition to timely, voluntary, truthful, complete, and useful cooperation, the DOJ will consider the extent to which an organization has taken "appropriate remedial actions." Section 4-4.1122 of the DOJ Justice Manual provides several examples of remedial actions that can mitigate exposure:

  • conducting a thorough analysis of the cause of the underlying conduct and, where appropriate, remediation to address the root cause;
  • disciplining or replacing those responsible for the misconduct either through direct participation or failure in oversight, as well as those with supervisory authority over the area where the misconduct occurred; and
  • implementing or improving an effective compliance program designed to ensure the misconduct does not occur again.

On April 30, 2019, the DOJ's Criminal Division updated its "Evaluation of Corporate Compliance Programs," a guidance document detailing topics and questions prosecutors should weigh when determining whether a company has demonstrated sufficient commitment to compliance that it can receive credit in a corporate settlement. 

In addition, on July 11, 2019, there was another DOJ announcement regarding incentives to implement and enhance corporate compliance programs. For years the Antitrust Division of the Department of Justice resisted, in contrast to the Criminal Division, considering and awarding credit for companies' "robust" compliance programs. In a speech at NYU on July 11, 2019, and in a related press release, Assistant Attorney General Makan Delrahim announced a new credit incentive for corporate compliance programs in both charging decisions and sentencing recommendations. "Good corporate citizenship" will now be rewarded by the Antitrust Division. This supplements the leniency program (no prosecution of the first-in company and reduced fines for later reporting companies under "leniency plus"). Now deferred prosecution agreements can be earned and, if prosecuted, companies can still get credit to reduce fines.

With the obvious benefits of implementing and improving an effective compliance program, it would be prudent for organizations to review and update their compliance programs to ensure they meet the standards set forth in the DOJ's "Evaluation of Corporate Compliance Programs" guidance document and in both the Civil Division's FCA credit policy and now the Antitrust Division's new initiative.

Three Major Considerations are the Focus of the Corporate Compliance Programs Guidance

Is your corporate compliance program

  • well-designed;
  • effectively implemented; and
  • working in practice?

This is what federal prosecutors will want to know when evaluating the effectiveness of your organization's compliance program.

The DOJ previously warned companies against having a compliance program which is only a "paper program"; failing to provide sufficient staffing to audit, document, and analyze the company's compliance efforts; and not adequately training and informing its employees about the company's compliance program and the company's commitment to it. The Fraud Section's Compliance Counsel in February 2017 provided a list of relevant questions to ask about different considerations in a compliance program. As presaged by new Assistant Attorney General Brian Benczkowski's October 2018 comments, the new April 30, 2019, guidance is more explicit. At a minimum, a corporate compliance program should address and prohibit criminal conduct, detect such conduct and facilitate prompt reporting, and discover involvement of senior management.

Board and Executive Leadership Must Set Tone at the Top and Downward Through Management for Corporate Compliance

Of primary concern to prosecutors is that a company should develop a "culture of ethics and compliance" with all relevant federal laws. The DOJ expects that company leadership have and communicate a high level of commitment to implementing a culture of compliance from the top. A company's board of directors and senior executives are to set this tone of compliance through shared commitment and oversight. With this leadership, a company should have and maintain a well-designed, comprehensive compliance program which is implemented, reviewed, and revised as appropriate. Through the development of policies and procedures enforced by middle management and the education and training of staff, the company's compliance standards are reinforced and encouraged.

Failure by a company's board of directors and senior officers to provide this leadership can result in misconduct going undetected or ignored, thus creating increased risks for civil and criminal liability to the company, its board members, officers, and employees.

The DOJ advises that its answers to the "fundamental questions" in its Guidance are not to be considered a checklist or formula. In fact, the relevance of these questions will be dictated by the facts at issue in a particular case. However, the questions and answers can be used by the company to evaluate the health of its compliance program and identify risks, gaps, and areas for improvement.

What is a Well-Designed Compliance Program?

The Guidance provides that a well-designed compliance program requires a robust risk assessment process, and appropriate and updated policies and procedures; tailored training and communications; confidential reporting structure and investigation process; and the application of risk-based due diligence to its third-party relationships. In addition, the DOJ emphasizes that a company should engage in comprehensive due diligence of any acquisition targets, warning that "flawed or undetected due diligence can allow misconduct to continue at the target company."

How to Judge the Effectiveness of the Implementation of a Compliance Program

Whether a compliance program has been implemented effectively will be measured by the commitment of the company's top leaders, the board of directors, and executives to fostering a culture of ethics and compliance with the law. The DOJ warns that it will look to how senior leaders, through their words and actions, have encouraged or discouraged compliance.

Effective implementation requires a company to give appropriate autonomy and resources to those charged with the day-to-day oversight of the compliance program so that they can act with adequate authority and stature. Prosecutors are advised to address the sufficiency of personnel and resources within the compliance function by evaluating whether those responsible for compliance have: (1) sufficient seniority within the organization; (2) sufficient staff and resources to effectively undertake the requisite auditing, documentation, and analysis functions; and (3) sufficient autonomy from management in order to have direct access to the board of directors or the board's audit committee. Internal audit functions must be conducted "at a level sufficient to ensure their independence and accuracy." In addition, a company should have established incentives for compliance and disincentives for noncompliance. The company should ensure that disciplinary actions and incentives are fairly and consistently applied across its organization.

How to Measure Whether a Compliance Program "Works in Practice"

Whether a company's compliance program works in practice will be judged by how frequently the company engages in internal audits, testing, and reviews; whether the company engages in timely and thorough investigations of allegations or suspicions of misconduct; how the company documents and responds to its findings, including documentation of any disciplinary or remediation measures taken; and whether the company conducts a root cause analysis of the misconduct and acts timely and appropriately to remediate and address the identified root causes. Obviously, this effort dovetails with the obligations of companies to investigate and identify those individuals "substantially involved" in misconduct under the 2015 Sally Yates Memorandum and its 2018 modification by Deputy Attorney General Rod Rosenstein.

With the opportunities provided by the FAR and DOJ guidance, there are costly obligations to achieve compliance and mitigation of exposure. How to best take advantage efficiently requires clear objectives and sequencing of steps to take, good communication with the government, and teamwork between management and the board, inside and outside counsel, and their third-party advisors.

Potential Issue with DOJ Incentives

As discussed above, there are tremendous incentives for organizations to uncover and disclose criminal conduct, as well as FCA violations, and to turn over all of the evidence they uncover to the government. These incentives include: (1) cooperation credit in sentencing and assessment of penalties in criminal matters and (2) reduction of damages in civil FCA cases. The potential for the government to use the fruits of the company's internal investigation to prosecute or sue its own employees raises several questions.

One of the questions raised is: At what point has the organization been sufficiently "deputized" as government-like investigators so that their employees are entitled to Garrity warnings, given that any statement made during the internal investigation may be used against them in a subsequent criminal prosecution?

Garrity is a 1967 Supreme Court decision which held that "statements obtained from public employees under threat of termination of employment were involuntary and therefore inadmissible against them in a criminal trial." Connolly and Black Decision and Order at p. 20. The Garrity rules can apply to private sector conduct "where the actions of a private employer in obtaining statements are 'fairly attributable to the government.'" Id. citing U.S. v. Stein, 541 F.3d 130, 152 n.11 (2d Cir. 2008).

In the recent Connolly and Black case, the trial court concluded that, under the facts of that case, the government "outsourced" its investigation to the company, Deutsche Bank, and its outside counsel to such degree that they "were de facto the government for Garrity purposes." Connolly and Black Decision and Order at p. 2. In Connolly and Black, there was a significant amount of cooperation and interaction between the company and the government. The government even gave the company's outside attorneys direction regarding the specific employees to interview and how to conduct those interviews. Under these facts, the court found that the "government violated Garrity because Deutsche Bank's interviews of Gavin Black, for which he was compelled to sit under threat of termination, are fairly attributable to the government." Id. at p. 29. Moreover, under the prior Stein case, the government cannot force the company, under a non-prosecution agreement, to condition payment of employees' attorney's fees on their cooperating with the government. U.S. v. Stein, 542 F.3d 130, 150 (2d Cir. 2008).

The implications of holdings such as these are not yet clearly determined. In addition to Upjohn warnings, will organizations be required to provide employees interviewed during internal investigations additional warnings similar to a Garrity warning? If the results of the company's internal investigation will be provided to the government and could result in criminal prosecution, will private sector employees have a constitutional right to have counsel present? Will the government be likely to continue to work with companies and essentially help them conduct internal investigations? The government in Connolly and Black could not deny the bank's cooperation credit when the bank's internal investigation was conducted under the government's guidance and direction. Thus, if the government, now chastised, becomes unwilling to work with organizations to make sure they are conducting thorough and complete investigations, will it become more difficult for companies to receive cooperation credit?


In summary, until some of the questions raised are more fully resolved, companies should continue to take steps to ensure they receive full cooperation credit and mitigate risk to the greatest degree possible by:

  • Making timely and truthful voluntary disclosure,
  • Cooperating with government investigations,
  • Taking appropriate remedial measures, and
  • Implementing and enhancing corporate compliance programs.

Follow Us

Our Mission is to help member firms serve their clients' legal needs and business interests through a worldwide network of quality law firms that meet high professional standards.