In December, the Department of Justice (DOJ) announced the release of a new policy for business organizations regarding voluntary self-disclosures of export control and sanctions violations. The new Policy makes explicit that when a company (1) voluntarily self-discloses export control or sanctions violations to the Counterintelligence and Export Control Section (CES) of DOJ’s National Security Division (NSD), (2) fully cooperates, and (3) timely and appropriately remediates its conduct, there is now a presumption that, absent aggravating factors, the company will receive a non-prosecution agreement and will not be fined.
The new Policy builds on the guidance NSD issued in October 2016 regarding voluntary self-disclosures (VSD) in export controls and sanctions investigations (the “2016 Guidance”). Several important points stand out about the new Policy.
First, even though the 2016 Guidance stressed the importance of submitting a voluntary self-disclosure, it did not provide companies with an indication of the clear benefits of doing so. Instead, the 2016 Guidance continued to stress that the ultimate resolution of any violation still depended on an evaluation of the totality of the circumstances in a particular case. The new Policy provides more clarity concerning the benefits of self-reporting.
Second, the new Policy makes it clear that a voluntary self-disclosure must be made to CES in order for a company to receive any benefits under the Policy; reporting to a regulatory agency – such as DDTC, BIS, or OFAC – will not suffice for a company to receive credit.
Third, the new Policy abolishes the carve-out for financial institutions that existed under the 2016 Guidance. Going forward, all business organizations, including financial institutions, can take advantage of the Policy.
Fourth, the new Policy conforms to other voluntary disclosure policies issued by the DOJ. Specifically, for compliance professionals and in-house counsel familiar with the Criminal Division’s FCPA Corporate Enforcement Policy (the “FCPA Policy”), the new Policy adopts similar definitions of several key terms, including for “Voluntary Self-Disclosure,” “Full Cooperation,” and “Timely and Appropriate Remediation” as those provided in the FCPA Policy. The DOJ has stated that recent clarifications made to the FCPA Policy, which we reported on here, in several instances were the result of coordination between NSD and the Criminal Division in anticipation of the rollout of this new Policy.
Fifth, the Policy in several instances emphasizes the importance of disclosure of facts relevant to individuals involved in the violations. This is consistent with the DOJ’s continued emphasis on prosecuting and holding individuals accountable for wrongdoing.
What Counts as a “Voluntary Disclosure”?
The new policy identifies three necessary elements of a voluntary disclosure:
- The self-disclosure must occur prior to an imminent threat of disclosure or government investigation. In other words, a company should not wait to self-disclose until it is facing a threat of government action. The sooner a company discloses, the better.
- The disclosure must occur within a reasonably prompt time after the company becomes aware of the violation, with the burden on the company to show that it disclosed promptly. This continues to allow latitude for conducting an internal investigation to ascertain the facts prior to disclosure, although such efforts must be completed promptly or phased to allow for an initial prompt disclosure, with a supplemental disclosure to follow later.
- The company should make a fulsome disclosure regarding all relevant facts known to it regarding the violation. Most importantly, keeping in line with the DOJ’s continued emphasis on prosecuting individuals, a company should disclose the identities of the individuals involved in or responsible for the violation. Similar to the recently revised FCPA Policy, the new Policy states that the DOJ “recognizes that a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure, especially where only preliminary investigative efforts have been possible.” In such situations, “a company should make clear that it is making its disclosure based upon a preliminary investigation or assessment of information, but it should nonetheless provide a fulsome disclosure of the relevant facts known to it at that time.”
What Steps Must a Company Take to Receive Credit for “Full Cooperation”?
Full cooperation is determined by multiple factors, including:
- Full Disclosure, including regarding the involvement of specific individuals. Companies must make full disclosure of all relevant facts gathered through an internal investigation, including facts related to the involvement in the criminal activity by the company’s officers, employees, or agents; and all facts known or that become known to the company regarding potential criminal conduct by third-party companies.
- Proactivity. The company must be proactive rather than reactive by facilitating the investigation even when not directly asked to do so (such as producing documents that the DOJ is unaware of).
- Document production. The company must timely preserve, collect, and disclose relevant documents. If a company cannot disclose overseas documents due to foreign laws (such as data privacy or blocking statutes), the company bears the burden of establishing this prohibition and must work to identify all legal bases to produce the documents.
- De-confliction. The company must de-conflict witness interviews and other internal investigative steps to ensure that they do not interfere with the DOJ’s investigation.
- Witness availability. The company should make available for interviews its officers and employees who possess relevant information. This may include officers, employees, and agents located overseas as well as former officers and employees (subject to the individuals’ Fifth Amendment rights) and third-party witnesses.
What Constitutes “Timely and Appropriate Remediation” Under the New Policy?
The five criteria that are required for timely and appropriate remediation are (1) analysis of the root causes of the violation; (2) the implementation of an effective compliance program; (3) appropriate discipline of employees responsible for the misconduct through direct participation or failure in oversight, as well as those with supervisory authority over the conduct; (4) record retention, which includes prohibiting the improper destruction or deletion of business records and the implementation of policies governing the use of personal communications devices/channels; and (5) any additional steps such as demonstrating recognition of the seriousness of the misconduct, accepting responsibility, implementing measures to reduce the risk of repetition of such misconduct, and identifying future risks.
What Are the Potential “Aggravating Factors” That Could Result in a More Stringent Resolution?
Aggravating factors that create “elevated threats to national security” include the exports of (1) items controlled for nuclear nonproliferation or missile technology reasons to a proliferator country; (2) items known to be used in the construction of weapons of mass destruction; (3) items to a foreign terrorist organization or designated terrorist individual; and (4) military items to a hostile foreign power. In addition, repeated violations and knowing involvement of upper management in the criminal conduct can also constitute aggravating factors.
What Happens When “Aggravating Factors” Are Present so That a Company Is No Longer Eligible for a Non-Prosecution Agreement?
If the DOJ decides that a non-prosecution agreement is inappropriate (which could result in a deferred prosecution agreement or a guilty plea), the company still benefits from the voluntary disclosure in two key ways. First, DOJ will accord or recommend to a sentencing court that any fine be capped at 50 % of the fine that would otherwise be available. Further, if the company has already implemented an effective compliance program at the time of the resolution, the DOJ will not require the appointment of a compliance monitor.