As part of a sweeping revamp of its white-collar criminal enforcement policies that began last year, the Department of Justice (DOJ) announced two significant changes last week. The first is a new three-year pilot program that rewards companies for clawing back compensation for executives and employees responsible for underlying criminal conduct. The second involves higher scrutiny of companies’ data and communication policies and an increased obligation to identify and produce data on the company and personal devices and servers.

Compensation Clawbacks 

DOJ rewards compensation clawbacks with reduced fines for criminally responsible companies.

On March 2, 2023, Deputy Attorney General (DAG) Lisa Monaco announced that companies found guilty of committing crimes will receive reduced fines if they claw back compensation paid to executives and employees responsible for the misconduct.¹

In her speech announcing the new policies, DAG Monaco stated, “[c]ompanies should ensure that executives and employees are personally invested in promoting compliance.” “Nothing grabs attention or demands personal investment like having skin in the game, through direct and tangible financial incentives.”² To ensure company leadership has skin in the game, DOJ is launching a three-year pilot program that will require companies that reach resolution with the criminal division to change their corporate compensation and bonus programs so that criminal misconduct is punished with policies and practices that allow for the company to recover responsible executive and employee compensation.³

“At the outset of a criminal resolution, the resolving company will pay the applicable fine, minus a reserved credit equaling the amount of compensation the company is attempting to claw back from culpable executives and employees,” she said. “If the company succeeds and recoups compensation from a responsible employee, the company gets to keep that clawback money — and also doesn’t have to pay the amount it recovered.”⁴

Monaco recognized how challenging it can be for companies to claw back the full amount from its employees, so DOJ’s pilot program will “ensure that those who pursue clawbacks in good faith but are unsuccessful are still eligible to receive a fine reduction.”⁵

On the other hand, companies that do not engage in clawback efforts will not receive the full benefit of available discounts for otherwise fulsome cooperation in resolving criminal misconduct.⁶

DAG Monaco left several questions unanswered. As an initial question, how will individual wrongdoing be decided? Will the company determine which individuals should be held responsible for underlying criminal conduct, or will DOJ? Will clawback efforts be tied to a criminal conviction, or will they be part of the negotiation process between the company and DOJ?

Once individuals are identified, what is the impact of local employment laws, and what is DOJ’s view of the interrelationship with those laws? What internal procedures should the company adopt to make its decision fair and effective? Must there be an internal hearing process where employees can defend their position? And will there be time limitations on enforceability such that executives and employees can feel comfortable spending their bonuses or other potentially affected compensation? 

How DOJ’s new pilot program addresses these nuanced issues remains to be seen.

Preservation of Messaging App Communications

DOJ expects companies to adopt practices that ensure the preservation of relevant communications in the event of a self-report or investigation of misconduct.

On March 3, 2023, following DAG Monaco’s announcement of DOJ’s new clawback pilot program, Assistant AG (AAG) Kenneth A. Polite said during a speech that DOJ is making significant changes to its Evaluation of Corporate Compliance Programs (ECCP), including how it considers a corporation’s handling of personal devices used by employees as well as various communications platforms and messaging applications, including those offering ephemeral messaging.⁷

“Under the revised ECCP,” AAG Polite said, “DOJ will consider how policies governing these messaging applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate, business-related electronic data and communications can be preserved and accessed.”⁸

In evaluating companies’ compliance programs in the context of assessing corporate criminal culpability and cooperation, prosecutors will also consider how companies communicate the policies to employees and whether they enforce them on a consistent basis. Prosecutors will evaluate the electronic communication channels used by companies, including details about preservation and deletion settings and any “bring your own device” programs and related preservation policies.⁹

“We won’t stop there,” AAG Polite stressed, “if a company has not produced communications from these third-party messaging applications, our prosecutors will not accept that at face value.”¹⁰ Instead, prosecutors will ask about the company’s access to these kinds of communications and whether they are stored on corporate devices or servers. Failure to provide sufficient answers may affect any offer from DOJ to resolve criminal liability.

“So when crisis hits, let this be top of mind,” said AAG Polite.¹¹

Companies that want to avoid scrambling to gain access to their employees’ data during a crisis and risking the possibility of lost relevant communications and information should consider now how DOJ’s increased focus on communications applications, personal devices used for business reasons, and ephemeral messaging should be implemented into their own approach to these issues. Specifically, company compliance officers and executives should assess the company’s risk factors for serious DOJ enforcement actions and consider whether investing money and resources into overhauling existing data and communication policies is necessary to offset the risk of potentially lost or inaccessible information in the event of an enforcement event at the company.

DOJ’s new wave of policies has sent a clear message that it is leveraging companies’ own policies and procedures governing their executives and employees to hold individuals accountable for their role in corporate misconduct in connection with resolving with companies that identify and self-report violations of law. DOJ is sweetening the pot for companies that enforce comprehensive compliance programs, report misconduct to DOJ, punish bad actors with compensation clawbacks, and fully cooperate with DOJ’s investigation – including granting full access to company data and communication channels.