Podcast: Do DPAs Really Work?
Today we have another Radical Compliance podcast, trying to unpack a question near to the hearts of compliance professionals everywhere: Do deferred-prosecution agreements really work to improve corporate behavior?
This issue has been on my mind lately because federal prosecutors recently accused Boeing of breaching the DPA it struck in 2021 to settle criminal charges stemming from its 737 Max plane crashes in the late 2010s. What does that tell us about the effectiveness (or lack thereof) of DPAs? And if DPAs aren’t effective tools to change corporate behavior, then what should we use?
To consider those questions I called up Todd Haugh, professor of business law and ethics at Indiana University, who has been a close student of DPAs and corporate prosecutions for years. You can hear our full conversation at the top of this page. I’ve also dashed off a few additional thoughts below.
First, I’m frustrated (and I imagine most compliance officers are too) about the Justice Department’s lack of clarity on when and how a company might violate a DPA. In Boeing’s case, for example, prosecutors filed a two-page letter to the court on May 14 declaring that Boeing breached the agreement by “failing to design, implement, and enforce a compliance and ethics program to prevent and detect violations of the U.S. fraud laws throughout its operations.”
That could mean anything. I assume it relates to Boeing’s more recent troubles with the door that blew off an Alaska Airlines flight in January — but that’s just a guess on my part. The door incident happened almost three years to the day after Boeing signed its DPA in January 2021, and I suspect that in the fullness of time we’ll hear all manner of stories about whistleblower retaliation, managers turning a blind eye to safety risks, and so forth. Clearly some of that door safety misconduct must have happened during the pendency of Boeing’s previous DPA; but so far prosecutors haven’t spelled out where they believe Boeing’s compliance program went wrong.
The good news is that breaches of DPAs seem to be rare. Ericsson was found to be in violation of its DPA from 2019, and in 2023 settled those breach violations by pleading guilty to the original charges and paying another $206 million in penalties (on top of the $1 billion Ericsson paid in 2019). Now Boeing may go through the same wringer; that’s likely to be hashed out in the remainder of this year.
Still, the criteria to assess whether you’ve violated a DPA seem to depend on…
- The terms of the original settlement agreement;
- Any interim reports that you provide to prosecutors during the term of the agreement;
- Any reports from an independent compliance monitor, should your company be assigned one; and
- The zeal and diligence of the prosecutors working your case.
In other words, we have no objective criteria that the compliance community at large can study to understand this issue more completely. That’s unfortunate.
If Not DPAs, Then What?
Back to my podcast with Haugh. We also spent a fair bit of time talking about alternatives to deferred-prosecution agreements — because if they aren’t effective instruments in changing corporate behavior, what else could we use?
For example, go back to Boeing again. It is one of the largest defense contractors in the United States, and one of the most widely held stocks in U.S. capital markets. So however grave the company’s offenses might be, we’re not going to bar Boeing from bidding on government contracts or delist it from U.S. stock exchanges or anything like that.
In such cases — cases where a criminal conviction would destroy the company and throw many thousands of people out of work, which seems too high a price — then prosecutors will simply need to keep working the DPA to extract more concessions and change from the company. “There are all sorts of machinations that can take place to avoid convicting a company of criminal wrongdoing,” Haugh said.
For example, prosecutors could extend the term of the DPA or a compliance monitor (that’s what happened with Ericsson; the monitorship was extended another year). They could demand more frequent interim reports from the compliance team, which seems to be an emerging alternative to independent monitors anyway. There will always be more penalties, and perhaps more disgorgement of ill-gotten gains too. (I will watch closely to see what new penalties and disgorgement Boeing might need to pay amid these new DPA breach accusations.)
Still, I asked Haugh, do those measures truly drive change in corporate behavior, or just make a company fork over more money until the prosecutors go away?
That led to our most interesting exchange, debating how else prosecutors could drive a company to change its nature. Essentially, Haugh said, prosecutors must find some set of measures that disrupt what a company wants to do until it changes its ways: “You, the company, cannot do something unless you demonstrate that you’ve remade your culture and fixed your problems — and you fixed them in a way that’s sustainable in the future, not just in the short-term by a bunch of trainings or something like that.”
Compliance officers do already have an example of that concept in practice: Wells Fargo. When the bank suffered its massive fake-accounts scandal in the 2010s, federal banking regulators capped the total amount of assets Wells Fargo is allowed to manage at $1.95 trillion. That cap, essentially a limit on how big Wells Fargo is allowed to be, was imposed in 2018 and exists to this day. It is exactly the sort of sanction that drives boards and CEOs crazy.
OK, but how would that approach work for non-bank companies? Would regulators, say, cap total revenue that a company could earn, or branches it could open? That seems like an idea destined for court challenge.
Haugh speculated that perhaps civil regulators could work with prosecutors to constrain company growth while the company labored under a DPA or consent decree of some kind. For example, maybe prosecutors would work with the Federal Aviation Administration to cap the number of planes Boeing could deliver.
Whatever ideas regulators might find, we need them. Imposing higher fees and more reporting obligations drives up the cost of compliance more than it drives a change in culture.
What About CCOs Certifying Programs?
My other question is whether chief compliance officers might ever face personal legal liability for a DPA that has been breached.
If part of the original agreement was that the CCO provides enhanced compliance reporting to prosecutors, and then certifies the effectiveness of the program at the end of the term, and then prosecutors determine that, nope, actually you breached the DPA — wouldn’t that by definition mean that the CCO failed to do his or her job? Wouldn’t that certification be at least erroneous, if not deliberately false? Wouldn’t that bring legal jeopardy for the CCO?
Haugh deftly declined to speculate on that scenario, although he did say, “The structure is there to put them on the hot seat.”
We should note that Boeing’s DPA was signed in January 2021, before the Justice Department started including CCO certification requirements, so Boeing’s chief compliance officer (Darrin Hostetler) is not likely to face this question. Others in the future might.
Then again, let’s remember that the CCO certifies the effectiveness of the compliance program along with the CEO. Presumably the CEO doesn’t want to sit on that hot seat either, and will support the chief compliance officer’s efforts to change the culture.
Then again, that’s what I thought about Boeing when it reached its DPA in 2021. And here we are.