Compliance officers have a new cooperation credit policy from the Justice Department to consider, this one addressing sanctions and export control issues. It differs just enough from other cooperation policies we’ve seen from the Trump Administration that compliance officers need to give this one more attention.
The policy was announced last Friday by David Burns, deputy assistant AG for the Justice Department’s National Security Division. It hits many of the same notes as the department’s FCPA Corporate Enforcement Policy from 2017. Foremost, businesses looking for leniency over sanctions issues should voluntarily self-report their misconduct, cooperate fully with any investigation, and remediate any control weaknesses that allowed the trouble to happen.
OK, compliance officers have heard all that before. So what’s the news?
First, in exchange for that cooperation, the National Security Division will be predisposed to offer a non-prosecution agreement and no monetary penalties. So right away this policy for sanctions isn’t as generous as its counterpart for FCPA enforcement, which presumes an outright declination to prosecute for those same steps.
Why? “Given the threats to national security posed by violations of our export control and sanctions laws, we determined that a presumption of an NPA without a fine was appropriate,” Burns said when announcing the policy last week.
Second, this cooperation policy applies only if you disclose your sanctions misconduct to the Justice Department. Reporting the misconduct to civil agencies, such as the Office of Foreign Asset Controls or Bureau of Industry and Security, won’t do you any good. If you want to win credit with the Justice Department, you must disclose to the National Security Division, too.
Third, and as always, the Justice Department only presumes it will offer an NPA and no penalties absent any aggravating factors.
Well, the aggravating factors in sanctions world aren’t quite the same as those compliance officers see in FCPA world. So policing against those factors might require different procedures and oversight.
Aggravating Factors in Sanctions
The new sanctions cooperation policy gives six examples of aggravating factors:
- Knowing involvement of upper management in the criminal conduct;
- Repeated violations, including similar administrative or criminal violations in the past;
- Exports to a foreign terrorist organization or specially designated global terrorist;
- Exports of items controlled for nuclear nonproliferation or missile technology reasons to a proliferator country;
- Exports of items known to be used in the construction of weapons of mass destruction; and
- Exports of military items to a hostile foreign power.
Those first three items we’ve also seen as aggravating factors in the FCPA Enforcement Policy, if you interpret “terrorist” here as “high-risk individual” in the anti-bribery context. They touch on issues such as tone at the top, effective policies and procedures, and due diligence on business partners. Compliance officers know how to handle those issues.
The last three items, however, are more about the actual goods involved in the transaction — which usually isn’t a big concern in FCPA world. That is, one company doesn’t face more FCPA penalties because it bribed a foreign government official to buy computers, versus another company that bribed a foreign official to buy sugar. The offense is the illegal way the transaction was brought about, not what the transaction actually was.
So a compliance program trying to avoid those aggravating factors in sanctions risk will need to be much more adept at monitoring high-risk goods the company sells — in addition to all the usual due diligence, corporate culture, and policies & procedure issues.
Let’s say your your sanctions issue does involve aggravating factors and therefore an NPA goes off the table. Even in that case, the new policy offers some solace: at least a 50 percent discount off the bottom end of potential monetary penalties, and no compliance monitor if the company has an effective compliance program in place at the time of resolution.
Sure, you’re still facing a DPA or criminal charge rather than an NPA, but every little bit helps.
‘Effective Compliance Program’
My other question is how the Justice Department and other regulators will define an effective compliance program.
Yes, the new cooperation policy lists criteria for how prosecutors will judge a compliance program’s effectiveness, and they are the same criteria we’ve all seen before: resources dedicated to compliance, corporate culture, reporting structure for compliance personnel, and so forth. Compliance officers can also rely on the much more expansive guidance about evaluating compliance programs that the Justice Department published earlier this year, since National Security Division prosecutors will use those guidelines like every other part of the Justice Department.
But an effective sanctions compliance programs is really dictated by the Office of Foreign Assets Control, and OFAC published its own guidance about effective compliance programs last May — one with many more specifics than the Justice Department counterpart.
For example, the OFAC guidance clearly prefers companies to have a centralized sanctions compliance program for the whole enterprise; spells out four capabilities the sanctions compliance program should have (identify, interdict, escalate, and report suspicious transactions); and even gets into the nitty-gritty about screening software your program might use.
So when we say a company must have an “effective” compliance program by time of resolution, we’re really talking about two inter-connected layers of effectiveness — the OFAC view, and the Justice Department view. The new cooperation policy even says (in a footnote, but it’s there) that the National Security Division will “coordinate with the appropriate regulatory agency in assessing a corporation’s remediation efforts and compliance program.”
That’s not an unreasonable position for regulators to take. I just wonder how it will work in practice when they try to evaluate the compliance program of a company looking to take advantage of this policy. It’s going to be a more complicated process than what compliance officers have experienced in FCPA program evaluations.