Important Recent Updates to DOJ Policy on Voluntary Self-Disclosure and Corporate Compliance Programs

By Donald D. Ashley and Cynthia Schnedar

In February and March of 2023, the U.S. Department of Justice (DOJ) announced significant policy updates affecting a broad range of businesses, including those regulated by the U.S. Food and Drug Administration (FDA). The first concerns the specific circumstances under which DOJ will not seek a guilty plea from a company that voluntary self-discloses misconduct. The second addresses how, when evaluating the adequacy of corporate compliance programs, DOJ assesses executive compensation structures as well as company policies on the use of messaging applications and personal devices to conduct company business.

Both updates implement revisions to DOJ’s corporate criminal enforcement policies first announced in a September 2022 memorandum by Deputy Attorney General Lisa Monaco (Monaco Memorandum).[1] In her speech announcing these new policies, Deputy Attorney General Monaco explained:

With a combination of carrots and sticks—with a mix of incentives and deterrence—we’re giving general counsels and chief compliance officers the tools they need to make a business case for responsible corporate behavior. In short, we’re empowering companies to do the right thing—and empowering our prosecutors to hold accountable those that don’t.[2]

We recommend FDA-regulated entities become familiar with DOJ’s newly announced “carrots and sticks,” and consider incorporating them into their own policies and procedures.

I. Voluntary Self-Disclosure Policy

The Monaco Memorandum instructed all DOJ components prosecuting corporate crime to draft and publicly share their specific policies on corporate voluntary self-disclosure to adhere to new core principles on self-disclosure identified in the Monaco Memorandum.[3] DOJ’s Consumer Protection Branch (CPB) published its Voluntary Self-Disclosure Policy for Business Organizations (Self-Disclosure Policy) in February 2023.[4]

CPB leads DOJ’s efforts to enforce laws protecting consumer health and safety and is specifically charged with prosecution and oversight of all criminal matters arising under the Federal Food, Drug, and Cosmetic Act, 21 U.S.C. § 301, et. seq.[5] To carry out its mission, CPB brings criminal cases throughout the United States, often working with local U.S. Attorneys’ Offices to do so.

Pursuant to its policy, CPB encourages companies to voluntarily self-disclose directly to CPB potential violations of federal criminal law involving the manufacture, distribution, sale, and marketing of products regulated by FDA.[6] One of the stated purposes of this new policy is to encourage companies to implement strong compliance programs to prevent and detect such violations.[7]

A. The Benefits of Voluntary Self-Disclosure

As described in the CPB policy, voluntary disclosure confers two benefits on disclosing firms: 1) CPB will not seek a guilty plea from a company for disclosed conduct, absent the presence of aggravating factors discussed further below; and 2) CPB will not require imposition of an independent compliance monitor for a cooperating company that has voluntarily self-disclosed.[8]

Avoiding criminal conviction through voluntary disclosure provides clear benefit, given the serious direct and indirect consequences that can arise from nearly any corporate criminal conviction, especially in a highly regulated industry such as medical products manufacture and distribution. To qualify for this benefit, however, a company must have: 1) voluntarily self-disclosed directly to CPB; 2) fully cooperated;[9] and 3) timely and appropriately remediated the criminal conduct,[10] including providing restitution to victims and improving its compliance program to mitigate the risk of future illegal activity.[11] In addition, to avoid imposition of an independent compliance monitor, which can result in substantial corporate expenditures and significant disruption to corporate operations, CPB’s Self-Disclosure Policy requires a company to demonstrate that it has implemented and tested an effective compliance program.[12] 

B. What Constitutes Voluntary Self-Disclosure

Before affording a company any benefits under this policy, CPB advises that it will carefully assess the circumstances of any corporate self-disclosure to ensure several elements are present. First and foremost, the company must disclose the conduct directly to CPB and must do so prior to “an imminent threat of disclosure or government investigation”[13] and “within a reasonably prompt time after becoming aware of the offense.”[14] Further, the company must not have a pre-existing obligation to disclose the conduct to DOJ, for example, pursuant to the resolution of a prior criminal or civil matter. The company’s disclosure must also be accompanied by the timely preservation, collection, and production of all relevant documents and information. Finally, the company must disclose all relevant facts known to it at the time of the disclosure, including as to any individuals (or other third parties) substantially involved in or responsible for the misconduct at issue.[15]

    1. Disclosure Must Be to CPB, not a Regulatory Agency

While not trying to discourage additional self-disclosure to regulatory agencies, CPB places great emphasis on self-disclosure directly to CPB and notes that if a company chooses to self-report only to a regulatory agency, such as FDA, and not also to CPB directly, the company will not qualify for benefits under CPB’s Self-Disclosure Policy.[16] CPB further notes that neither the elements described above nor credit for voluntary self-disclosure itself requires the waiver of attorney–client privilege or work product protection.[17]

    1. Potential Aggravating Factors

Even where a firm demonstrates all the elements necessary to establish voluntary self-disclosure, CPB’s policy puts companies on notice that aggravating factors, if present to a significant degree, could result in CPB pursuing a more stringent resolution for a company, including requiring a guilty plea from a corporate defendant in a particular case.[18] CPB identified the following non-exhaustive list of potential aggravating factors:

  • deeply pervasive misconduct throughout the company;
  • intentional or willful conduct placing consumers at significant risk of death or serious bodily injury;
  • intentionally or willfully targeting vulnerable victims; and
  • knowing involvement of upper management in the criminal conduct.[19]

C. Deciding When to Voluntarily Self-Disclose

While CPB’s new policy provides firms an additional strong incentive to voluntarily disclose criminal conduct to DOJ, the decision to do so nevertheless remains a complicated matter. A company needs time to internally investigate any new allegation to determine whether it has merit. It is also unclear what DOJ will consider to be “within a reasonably prompt time.”[20] However, the clock will be ticking to meet these conditions so that the disclosure is both “reasonably prompt” and “prior to imminent threat of disclosure or government investigation.” On the other hand, if the company errs on the side of reporting before ascertaining whether the conduct rises to the level that should be disclosed, the company risks bringing upon itself unwarranted scrutiny from DOJ.

It is particularly interesting that CPB requires companies to disclose potential criminal conduct directly to CPB; disclosure to FDA or another regulatory agency would not be sufficient.[21] Companies often make early disclosures to FDA of potential data integrity issues and then work with FDA on determining the impact on the regulated product. Data integrity issues such as these may or may not rise to the level of a criminal violation, but they are often referred to FDA’s Office of Criminal Investigations for evaluation. It is now clear that companies will receive no credit from CPB under its Self-Disclosure Policy for this type of early disclosure to FDA. 

This myriad of factors must be considered as a company determines whether a voluntary self-disclosure to CPB is warranted. Voluntary self-disclosure also necessarily requires a company to have knowledge of the potential criminal conduct; companies should therefore have effective policies and procedures in place to detect misconduct, including those that encourage employees to promptly report any allegations of misconduct and those that facilitate adequate and timely investigation and preservation of evidence when allegations arise. Because these matters involve complicated issues with wide-ranging consequences, companies are well advised to quickly seek the advice of experienced legal counsel when considering such a disclosure.

II. Evaluation of Corporate Compliance Programs

In March 2023, DOJ’s Criminal Division issued an updated version of its guidance for prosecutors, Evaluation of Corporate Compliance Programs (ECCP Guidance), [22] which expands on the directives in the September 2022 Monaco Memorandum. Significantly, the latest revision adds two important factors that prosecutors should consider when assessing the adequacy of a corporation’s compliance program: 1)  corporate compensation schemes; and 2) corporate policies on business use of personal devices and messaging applications and platforms. 

A. Overview of ECCP Guidance

The ECCP Guidance is meant to assist prosecutors in making informed decisions about the adequacy and effectiveness of corporate compliance programs when considering whether to bring criminal charges against a company, as well as when determining what monetary penalties or other obligations (e.g., an independent monitor or required reporting) to seek in any corporate criminal resolution.[23] Although not part of DOJ’s Criminal Division, CPB follows the same principles when assessing corporate compliance programs for charging and resolution purposes.[24]  

The 2023 revision of the ECCP Guidance, like earlier versions, directs prosecutors to focus on three fundamental questions when assessing a corporation’s compliance program: 1) is it well designed; 2) is it applied earnestly and in good faith, or in other words, is it adequately resourced and empowered to function effectively; and 3) does it work in practice?[25] The new version adds two significant factors that prosecutors are advised to take into account when answering these fundamental questions.

1. Corporate Compensation Schemes

The ECCP Guidance recognizes compensation schemes can play an important role in fostering a culture of compliance. Accordingly, prosecutors are specifically advised to consider whether a company has designed its compensation systems to incentivize compliance, for example, by escrowing certain compensation to ensure conduct tied to that compensation is consistent with company values and policies before final payout or by clawback provisions permitting the company to recoup previously awarded compensation when the recipient is later found to have engaged in corporate wrongdoing. Prosecutors are further instructed to evaluate not only the design of the compensation systems but also whether they are enforced in practice in accordance with company policy and applicable law.[26]  

The 2023 ECCP Guidance also directs an assessment of a company’s commercial targets and how financial incentives are structured for senior-level executives. The recommended analysis starts by asking whether a company has considered if its commercial targets are achievable when the business operates in a compliant and ethical manner. Among other questions, the guidance also asks what role the compliance function has in designing and awarding financial incentives at senior levels of the company and what percentage of executive compensation is structured to encourage enduring ethical business objectives.[27]    

2. Messaging Applications and Personal Devices

The 2023 ECCP Guidance recognizes that the use of personal devices and messaging applications has become commonplace at home and at work and that these new technologies pose challenges to both DOJ and companies themselves when investigating suspected misconduct by company employees. Accordingly, the 2023 ECCP Guidance adds new discussion to guide prosecutors when considering whether corporate compliance programs enable companies to effectively conduct timely and thorough investigations of misconduct.[28]

When evaluating a company’s mechanisms to identify, investigate, report, and remediate potential misconduct, prosecutors are specifically advised to consider policy and procedure governing the use of personal devices, communication platforms, and messaging applications, including those designed to be ephemeral.[29] The 2023 ECCP Guidance makes clear that corporate policy and procedure should ensure, as appropriate and to the greatest extent possible, that business-related electronic data are both accessible and amenable to preservation by the company, including the data held on private phones for those companies that choose to utilize a “bring your own device” (BYOD) program for its employees.[30] Ultimately, prosecutors are advised to consider whether a company’s approach to permitting and managing communication channels, including BYOD programs and the use of messaging applications, are reasonable in the context of the company’s business needs and its risk profile.[31]

B. Assessing Your Corporate Compliance Program Against the New Provisions in the ECCP Guidance

Companies should be assessing their corporate compliance programs to ensure they are consistent with all the provisions of 2023 ECCP Guidance, and in particular with these two new provisions. First, companies should evaluate their financial incentives for executives within both the operational side and the quality side of their business. Financial incentives that focus too much on profit and not enough on ensuring quality and compliance could result in DOJ determining that your corporate compliance system is inadequate. Companies should also implement appropriate clawback provisions as a measure of financial deterrence against misconduct. Second, considering their risk profiles and legitimate business needs, companies should ensure they have both reasonable as well as effective policies and procedures in place governing when, if ever, and how business communications may take place on personal devices and messaging platforms. If such communications are permitted, companies should ensure they have policies and procedures in place to adequately preserve and access those communications.

Conclusion

FDA-regulated companies need to be aware of the new principles announced in the September 2022 Monaco Memorandum as well as the subsequent implementing policies by CPB and DOJ’s Criminal Division. Companies should be carefully reviewing all three documents to ensure their policies are consistent with the new guidelines announced for voluntary self-disclosure, compensation structures, and the preservation of business communications on messaging applications and personal devices. To benefit from these new policies, it is important for firms to act in advance of any allegations of misconduct arising to maximize the likelihood that DOJ will positively assess the company when DOJ is making its enforcement decisions. More importantly, adopting an effective corporate compliance program with strong systems to ensure quality, compliance, and integrity makes it more likely that a company may never have to deal with the scrutiny of DOJ in the first place.

 

[1] Memorandum from U.S. Dep’t of Justice, Off. of the Deputy Att’y Gen., Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group, (Sept. 15, 2022), https://www.justice.gov/opa/speech/file/1535301/download [hereinafter Monaco Memorandum].

[2] Deputy Attorney General Lisa O. Monaco Delivers Remarks on Corporate Criminal Enforcement, U.S. Dep’t of Justice (Sept. 15, 2022), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-remarks-corporate-criminal-enforcement.

[3] Monaco Memorandum, supra note 1, at 7–8. 

[4] U.S. Dep’t of Justice, Civil Division, Consumer Protection Branch, Voluntary Self-Disclosure Policy for Business Organizations (Feb. 2023), https://www.justice.gov/file/1571106/download.

[5] Id. at 1.

[6] Id.

[7] Id. at 4.

[8] Id. at 2.

[9] Id. (The meaning of “fully cooperated” is described in the Department of Justice, Justice Manual § 9-28.700).  

[10] Id. (The meaning of “timely and appropriate remediated” is described in United States Sentencing Guidelines (U.S.S.G.) § 8B2.1(b)(7)).

[11] Id.

[12] Id. (The meaning of an “effective compliance program” is defined by U.S.S.G. § 8B2.1).

[13] Id. (The meaning of “prior to an imminent threat of disclosure or government investigation” is defined by U.S.S.G. § 8C2.5(g)(1)). 

[14] Id. (The meaning of “within a reasonably prompt time after becoming aware of the offense” is defined by U.S.S.G. § 8C2.5(g)(1)). 

[15] Id. at 3.

[16] Id. at 1–2, note 2.

[17] Id. at 3.

[18] Id.

[19] Id.

[20] While CPB’s voluntary disclosure policy cites to U.S.S.G. § 8C2.5(g)(1) when defining “within a reasonably prompt time after becoming aware of the offense,” the U.S.S.G. application note for § 8C2.5(g)(1) only speaks to the timeliness of cooperation following an organization having been officially notified of a criminal investigation, rather than the timeliness of a voluntary disclosure prior to learning of a government investigation. See U.S.S.G. § 8C2.5, application note 13 (“To qualify for a reduction under subsection (g)(1) or (g)(2), cooperation must be both timely and thorough. To be timely, the cooperation must begin essentially at the same time as the organization is officially notified of a criminal investigation.”). No guidance is provided concerning the timeliness of a “voluntary disclosure” necessary to meet the “reasonably prompt” standard following a company becoming aware of the offense.   

[21] CPB’s Self-Disclosure Policy is silent on whether voluntary self-disclosure to another DOJ component, such as a U.S. Attorney’s Office, would qualify under the policy.

[22] U.S. Dep’t of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (June 2020, updated Mar. 2023), https://www.justice.gov/criminal-fraud/page/file/937501/download [hereinafter DOJ ECCP Guidance].

[23] Id. at 1.

[24] See Madeleine Giaquinto & Cynthia Schnedar, The Impact of DOJ’s Evaluation of Corporate Compliance Programs on FDA-Regulated Products, FDLI Update Mag. (Summer 2020) (quoting then-DOJ Deputy Assistant General David Morrel’s explanation from his keynote address at the FDLI Enforcement Conference in December 2019 that CPB “follows the same principles as DOJ’s Criminal Division of assessing compliance programs for charging and resolution purposes”), https://www.fdli.org/2020/04/the-impact-of-dojs-evaluation-of-corporate-compliance-programs-on-fda-regulated-products/.

[25] DOJ ECCP Guidance, supra note 22, at 1–2.

[26] Id. at 12.

[27] Id. at 13–14.

[28] Id. at 16–18.

[29] Id. at 17.

[30] Id.

[31] Id. at 18.