All eyes in the compliance community might be the annual FCPA Conference happening in Washington right now, but compliance professionals might also want to note a different speech given across town Wednesday by John Cronan, deputy assistant attorney general.
Cronan popped up at a Practising Law Institute event to talk about companies cooperating with law enforcement on all sorts of criminal conduct issues — foremost the FCPA, but also cybersecurity, fraud, and other types of white-collar crime. Crucial to success on all of those fronts, he said, is a strong corporate culture of wanting to root out misconduct.
“It … behooves us to recognize that a culture of compliance with the rule of law inures to our mutual benefit — just as corruption and crime work to the detriment of both the private sector and the public trust,” Cronan said. “Prosecutors and companies alike play a critical role in fostering that corporate culture.”
Cronan spent considerable time talking up the idea of corporations self-reporting misconduct to the Justice Department. That’s no surprise. Under the Trump Administration we’ve seen numerous enforcement policy shifts away from corporate penalties for misconduct, toward credits and forgiveness if a company reports misconduct and works to implement stronger compliance programs. That’s what the FCPA Corporate Enforcement Policy is all about.
In theory, that shift is welcome news for corporate compliance officers since it validates the importance of a strong compliance program. In practice, however, it also gives cynical minds in the legal department an opening: why disclose at all? Just clean up the problem, keep quiet, and bet that an under-resourced Justice Department never discovers the misconduct on its own.
That’s a terrible idea, but it’s out there. So in various ways Cronan tried to knock it down.
Transparency in this space can induce results that benefit law enforcement and the private sector alike. We realize that companies regularly face difficult decisions with respect to law enforcement — perhaps most notably, for purposes of today’s attendees, how to respond after uncovering misconduct. If a company knows what factors we will consider in making prosecutorial decisions, and what outcome the company can reasonably expect based on the actions it takes, that company is better positioned to make an informed, rational decision as to what course of action is in its interests.
Legal department types will take that last sentence to heart, and sometimes argue that the informed, rational decision is not to disclose misconduct. For ethics and compliance officers, the analysis is simpler: high ethical standards demand that an organization discloses its misconduct. Period.
Cooperation and Cybersecurity
Cooperation and self-disclosure for FCPA violations are all well and good unto themselves. Much more pressing, however, is cooperation with cybersecurity threats — where law enforcement desperately wants companies stepping forward to admit they’ve been attacked. So Cronan also spent time on that issue, too.
Many companies unfortunately, though understandably, fear that reporting cyber incidents to law enforcement will unduly disrupt their businesses or even potentially risk lawsuits or sanctions. We understand those fears, and the Criminal Division is committed to working collaboratively with companies after cyber incidents… [W]e are committed to conducting our investigations with discretion to prevent the unwarranted release of information about the incident, to avoid vitiating claims of privilege, to protect trade secrets from disclosure, and to minimize disruption to businesses.
This is true. At every Justice Department event I’ve attended where cybersecurity is discussed, federal prosecutors fall all over themselves to stress how important cooperation from the corporate world is, and how they will do their best to avoid putting the company in an unflattering spotlight.
Moreover, the Justice Department does have a compelling interest here: China. That country is clearly ramping up its industrial espionage against U.S. companies. Theft of intellectual property and surveillance of commercial activity are both areas where attacks against businesses are also threats to national security. Hence the Justice Department recently announced its “China Initiative” to crack down on economic aggression — which is a sensible step, but also one that can’t succeed without Corporate America’s help.
On the other hand, companies that admit to cybersecurity breaches have other headaches. If you’re a public company breached thanks to sloppy, outdated security procedures, the SEC might want to have a conversation with you. In egregious cases, the SEC might even impose penalties. Then there’s the Federal Trade Commission, state attorneys general, and civil litigation. So the incentives not to report lapses to law enforcement are there, too.
It’s a difficult question. Cronan clearly has the objective of selling companies on cooperation — and he’s right, companies should cooperate. But we can’t delude ourselves that the decision to cooperate is always easy.
Wanted: Real Compliance Programs
Back to effective compliance programs. After laying out those misconduct issues, Cronan gave several examples of companies that weren’t prosecuted for FCPA violations because they self-disclosed the misconduct, cooperated, and had strong compliance programs.
The Department has sought to reward companies that have taken meaningful, effective compliance seriously. That entails, upon uncovering misconduct, prosecutors looking at a business’s compliance both retrospectively and prospectively. Of course, companies that lack adequate compliance measures are less likely to deter and prevent misconduct, and also are less likely to uncover a problem at an early stage. But at the same time, we appreciate that, even if a company has implemented a strong and effective compliance program, that program still may not prevent one or a few bad actors from engaging in misconduct.
All in all, it’s a favorable speech for compliance professionals because it stresses the arguments you want to make to your senior management and board: that the Justice Department wants to see companies take compliance programs, and ethical duties to root out misconduct, seriously.
Even if the program isn’t perfect (spoiler alert: it won’t be), making the effort is what matters. That’s true measured in dollars spent on compliance; and just as true measured in doing the ethical thing — disclosing misconduct — even when that disclosure is gonna sting.